A just lately patched vulnerability in a core Home windows driver might enable a neighborhood attacker to execute code with the best system privileges, successfully taking full management of a goal machine.
The flaw, recognized as CVE-2025-53149, is a heap-based buffer overflow found within the Kernel Streaming WOW Thunk Service Driver (ksthunk.sys). Microsoft addressed the difficulty in its safety updates launched on August 12, 2025.
The vulnerability was found by safety researchers who stumbled upon the flaw throughout inside evaluation. Following a accountable disclosure course of, the bug was reported to Microsoft, resulting in the event and launch of a patch.
The affected element, ksthunk.sys, is a vital driver for sustaining backwards compatibility on 64-bit variations of Home windows.
Its main operate is to function a “thunk” layer, a small piece of code that interprets requests between totally different system architectures. Particularly, it bridges the hole between 32-bit user-mode functions and 64-bit kernel-mode drivers that handle real-time information streams for audio and video.
This driver is a part of the broader Kernel Streaming (KS) framework, a foundational Home windows expertise for dealing with high-performance, low-latency multimedia information.
By permitting older 32-bit software program to work together with trendy 64-bit kernel parts, KSThunk ensures that legacy functions can nonetheless operate appropriately. Nonetheless, it’s inside this complicated translation course of that the safety flaw was discovered.
Home windows Heap-based Buffer Overflow Vulnerability
The vulnerability resides within the CKSAutomationThunk::HandleArrayProperty() operate of the ksthunk.sys driver (SHA-1: 68B5B527550731DD657BF8F1E8FA31E895A7F176).
An attacker can set off this flaw by sending a specifically crafted request from a 32-bit utility to a tool that makes use of the Kernel Streaming interface.
Home windows Heap-based Buffer Overflow Vulnerability
The core of the difficulty lies in how the driving force handles requests to get a particular property from a tool, similar to KSPROPSETID_VPConfig. The susceptible code path first calls a operate to find out the dimensions of the information that must be returned.
It then prepares to repeat this information into an output buffer offered by the user-mode utility.
The important mistake is a lacking validation step. The operate checks that the offered output buffer isn’t empty, however it fails to confirm if the buffer is definitely massive sufficient to carry the information it’s about to obtain from the system.
Consequently, when the driving force proceeds to repeat the information, it might probably write previous the boundary of the allotted buffer. This motion ends in a heap-based buffer overflow inside the kernel’s non-paged pool, a important reminiscence area.
A profitable exploit might enable an attacker to deprave kernel reminiscence and execute arbitrary code with kernel-level privileges.
To set off the vulnerability, an attacker would want to run code on a goal system and make a particular DeviceIoControl name. Nonetheless, there’s a vital prerequisite: the system will need to have a {hardware} system put in that helps the susceptible property set (KSPROPSETID_VPConfig or KSPROPSETID_VPVBIConfig).
Whereas the researchers had been unable to search out such a tool on their take a look at techniques, the vulnerability stays a risk on techniques the place one is current.
Microsoft has corrected the vulnerability within the patched model of ksthunk.sys. The up to date driver now consists of the required measurement verify, making certain that the output buffer is massive sufficient earlier than the copy operation begins. If the buffer is just too small, the operation is safely aborted.
Customers and directors are strongly suggested to use the most recent Home windows safety updates to make sure their techniques are protected in opposition to CVE-2025-53149 and different threats.
Discover this Story Fascinating! Observe us on Google Information, LinkedIn, and X to Get Extra Instantaneous Updates.
