CVE-2025-0286
BioNTdrv.sys -- arbitrary kernel memory write allows elevation of privilege
Summary
| Field | Value |
|---|---|
| Driver | BioNTdrv.sys (Paragon Partition Manager) |
| Vulnerability Class | Arbitrary Kernel Write |
| Exploited ITW | No |
| Vendor | Paragon Software |
Root Cause
Alongside the arbitrary memory mapping IOCTL documented in CVE-2025-0285, BioNTdrv.sys exposes a separate IOCTL that writes directly to arbitrary kernel virtual addresses. The caller provides a target address and the data to write, and the driver executes the write at kernel privilege without any validation.
Where CVE-2025-0285 provides a read/write mapping, CVE-2025-0286 provides a direct write primitive. The driver does not check the caller's privilege level, does not validate the target address, and does not restrict the write to any safe memory region. This is the second of five vulnerabilities in the same driver (alongside CVE-2025-0285, CVE-2025-0287, CVE-2025-0288, and CVE-2025-0289), all reported simultaneously through CERT/CC's VU#726882 coordination.
The write IOCTL is arguably more dangerous than the mapping IOCTL from a BYOVD perspective. A mapping requires the attacker to parse kernel structures from the mapped view, while a write primitive can be used in a single call to overwrite a known offset in a kernel object (such as a token pointer in an EPROCESS structure), provided the attacker has the target address from another source.
Exploitation
The attacker opens a handle to the BioNTdrv.sys device and issues the write IOCTL with a target kernel virtual address and the desired data. If the target address is the current process's EPROCESS.Token field, a single IOCTL call can swap the token for SYSTEM.
In practice, the attacker may combine CVE-2025-0285 (the mapping IOCTL for kernel memory read) with CVE-2025-0286 (the write IOCTL) for a complete read/write chain: read to find the target address, then write to modify it.
Exploitation Primitive
Open device handle -> write IOCTL
-> arbitrary kernel memory write -> SYSTEM
Broader Significance
The coexistence of five distinct vulnerability classes in a single driver (memory mapping, arbitrary write, and three others) demonstrates what happens when a kernel driver is designed for functionality without security constraints. Each IOCTL is a separate weapon in a BYOVD attacker's arsenal. The fact that all five were found and reported simultaneously suggests that the driver had never received a security audit, or that the audit did not evaluate IOCTL access control. For defenders, the Paragon Partition Manager's presence on a system should be treated as a potential BYOVD risk until the driver is confirmed to be a patched version.