Microsoft has patched a big use-after-free vulnerability in its Brokering File System (BFS) driver, tracked as CVE-2025-29970.
The flaw allows native attackers to escalate privileges on Home windows methods working remoted or sandboxed purposes, making it a notable concern for enterprise safety.
The vulnerability exists in bfs.sys, a minifilter driver developed alongside Home windows AppContainer and AppSilo, Microsoft’s sandbox mechanisms for isolating Win32 purposes.
CVE IDVulnerability TypeAffected ComponentSecurity ImpactCVSS ScoreAffected VersionsCVE-2025-29970Use-After-Free (UAF)Brokering File System (bfs.sys)Native Privilege Escalation8.8 (Excessive)Home windows 11, Server 2022+
BFS manages file, pipe, and registry operations from remoted purposes, making it a pretty goal for privilege escalation assaults.
Microsoft Brokering File System Vulnerability
The basis trigger lies in improper reminiscence administration within the deallocation logic of BFS’s DirectoryBlockList.
The susceptible code deallocates the linked-list head whereas nonetheless iterating by remaining entries in the identical loop, making a basic use-after-free situation.
When coverage entries are eliminated by way of the BfsProcessDeletePolicyEntryRequest IOCTL, the susceptible deallocation course of triggers. Permitting attackers to control freed reminiscence buildings.
Vulnerability Overview
HT3Labs, the safety analysis workforce that found this flaw, documented the vulnerability affecting bfs.sys model 26100.4061.
Microsoft separated the deallocation loop right into a devoted BfsCloseRootDirectory operate within the patch. Making certain the listing head is deallocated solely in spite of everything entries are processed.
Exploitation Necessities
Profitable exploitation calls for particular circumstances: the attacker should impersonate an acceptable course of with AppSilo token capabilities.
Create coverage entries inside the system, and repeatedly set off removing operations to drive freed reminiscence reclamation.
Testing revealed that solely Medium Integrity Degree processes can entry the BFS gadget, limiting the scope of exploitation however not eliminating the chance.
The assault sequence includes impersonating a low-box token, creating non permanent information in remoted software directories, and executing fast IOCTL-based add-remove cycles.
Whereas instant system crashes weren’t noticed because of reminiscence allocation patterns, sustained exploitation reliably triggers a deadly system error (0x00000050) in bfs.sys.
This vulnerability poses a big menace to methods that use Home windows sandbox options, significantly enterprises that deploy remoted purposes for enhanced safety.
Microsoft launched patches in January 2025; organizations ought to prioritize making use of them instantly. Safety groups ought to monitor for exploitation makes an attempt concentrating on medium-integrity processes. Think about proscribing untrusted software execution in sandboxed environments till a patch is deployed.
In keeping with PixiePointSecurity, the discovering reveals that even specialised safety drivers can nonetheless endure from refined reminiscence administration flaws.
Reinforcing the necessity for steady safety evaluation of Home windows kernel-mode parts.
Observe us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to characteristic your tales.
