A recently patched vulnerability in a core Windows driver could allow a local attacker to execute code with the highest system privileges, effectively taking full control of a target machine.
The flaw, identified as CVE-2025-53149, is a heap-based buffer overflow discovered in the Kernel Streaming WOW Thunk Service Driver (ksthunk.sys). Microsoft addressed the issue in its security updates released on August 12, 2025.
The vulnerability was discovered by security researchers who stumbled upon the flaw during internal analysis. Following a responsible disclosure process, the bug was reported to Microsoft, leading to the development and release of a patch.
The affected component, ksthunk.sys, is a crucial driver for maintaining backwards compatibility on 64-bit versions of Windows.
Its primary function is to serve as a “thunk” layer, a small piece of code that translates requests between different system architectures. Specifically, it bridges the gap between 32-bit user-mode applications and 64-bit kernel-mode drivers that manage real-time data streams for audio and video.
This driver is part of the wider Kernel Streaming (KS) framework, a foundational Windows technology for handling high-performance, low-latency multimedia data.
By allowing older 32-bit software to interact with modern 64-bit kernel components, KSThunk ensures that legacy applications can still function correctly. However, it is within this complex translation process that the security flaw was found.
Windows Heap-based Buffer Overflow Vulnerability
The vulnerability resides in the CKSAutomationThunk::HandleArrayProperty() function of the ksthunk.sys driver (SHA-1: 68B5B527550731DD657BF8F1E8FA31E895A7F176).
An attacker can trigger this flaw by sending a specially crafted request from a 32-bit application to a device that uses the Kernel Streaming interface.
The core of the issue lies in how the driver handles requests to get a specific property from a device, such as KSPROPSETID_VPConfig. The vulnerable code path first calls a function to determine the size of the data that needs to be returned.
It then prepares to copy this data into an output buffer provided by the user-mode application.
The critical mistake is a missing validation step. The function checks that the provided output buffer isn’t empty, but it fails to verify if the buffer is actually large enough to hold the data it is about to receive from the device.
Consequently, when the driver proceeds to copy the data, it can write past the boundary of the allocated buffer. This action results in a heap-based buffer overflow within the kernel’s non-paged pool, a critical memory region.
A successful exploit could allow an attacker to corrupt kernel memory and execute arbitrary code with kernel-level privileges.
To trigger the vulnerability, an attacker would need to run code on a target system and make a specific DeviceIoControl call. However, there is a significant prerequisite: the system must have a hardware device installed that supports the vulnerable property set (KSPROPSETID_VPConfig or KSPROPSETID_VPVBIConfig).
While the researchers were unable to find such a device on their test systems, the vulnerability remains a threat on systems where one is present.
Microsoft has corrected the vulnerability in the patched version of ksthunk.sys. The updated driver now includes the necessary size check, ensuring that the output buffer is large enough before the copy operation begins. If the buffer is too small, the operation is safely aborted.
Users and administrators are strongly advised to apply the latest Windows security updates to ensure their systems are protected against CVE-2025-53149 and other threats.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Source link
