A new kernel address leak vulnerability has been discovered in the latest versions of Windows 11 (24H2) and Windows Server 2022 (24H2).
The flaw, identified as CVE-2025-53136, was ironically introduced by a Microsoft patch intended to fix a separate vulnerability, CVE-2024-43511.
According to Crowdfense, the new bug undermines recent security enhancements in Windows, providing a reliable method for attackers to bypass Kernel Address Space Layout Randomization (KASLR), a critical defense mechanism.
In recent updates, particularly starting with the 24H2 versions of Windows 11 and Windows Server 2022, Microsoft took significant steps to harden the operating system kernel against attacks.
The company restricted access to kernel base addresses by limiting functions like NtQuerySystemInformation().
This change meant that only highly privileged processes could retrieve this information, effectively neutralizing a common technique used by attackers to bypass KASLR and making it much harder to exploit kernel vulnerabilities.
However, analysis of the October 2024 patch for CVE-2024-43511, a Time-of-check Time-of-use (TOCTOU) race condition vulnerability, revealed a critical error.
In fixing the original bug, developers modified the RtlSidHashInitialize() function. The new code temporarily writes a sensitive kernel pointer from the TOKEN structure into a user-controlled buffer.
Although the pointer is quickly removed, it creates a small but exploitable time window for an attacker to read it.
Exploiting The Race Condition
An attacker can trigger this vulnerability by making a specific system call (NtQueryInformationToken() with the TokenAccessInformation class) while simultaneously running a separate thread to read the memory location where the kernel address is briefly leaked.
Despite being a race condition, the time window is reportedly wide enough to make the exploit highly reliable. A proof-of-concept demonstrates that the leaked TOKEN address can be obtained almost every time the exploit is run, Crowdfense added.
The impact is significant because this leak works on the latest, fully patched versions of Windows 11 and can be executed from low-privilege environments, including sandboxed AppContainer applications. While the vulnerability itself only leaks information, it serves as a powerful primitive.
When chained with a separate bug, such as a “write-what-where” condition, an attacker could achieve a full Local Privilege Escalation (LPE) by overwriting the Privileges field of the TOKEN object.
This discovery highlights a common challenge in software security: fixing one vulnerability can sometimes inadvertently create another. The researcher who discovered the flaw followed a responsible disclosure process, which began on April 8, 2025.
After some initial confusion where the report was mistakenly closed as a duplicate, Microsoft eventually acknowledged the new, valid bug on April 25 and assigned it CVE-2025-53136 in August.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Source link
