CVE-2025-0287
BioNTdrv.sys -- null pointer dereference causes denial of service
Summary
| Field | Value |
|---|---|
| Driver | BioNTdrv.sys (Paragon Partition Manager) |
| Vulnerability Class | Null Pointer Dereference |
| Exploited ITW | No |
| Vendor | Paragon Software |
Root Cause
Paragon Partition Manager's kernel driver, BioNTdrv.sys, shipped with five distinct vulnerabilities that together made it one of the most attractive BYOVD targets of early 2025. CVE-2025-0287 is the simplest of the bunch: a missing null check in an IOCTL handler.
When a user-mode process sends a crafted IOCTL to the BioNTdrv device, the driver proceeds to dereference a pointer without first confirming it is non-null. If the pointer happens to be zero, the kernel faults on the null page access, triggering an immediate blue screen. There is no corruption of adjacent memory and no code execution path here. The bug is strictly a denial-of-service primitive.
This sits alongside four siblings in the same driver: CVE-2025-0285 and CVE-2025-0286 (arbitrary kernel writes), CVE-2025-0288 (arbitrary kernel write via memmove), and CVE-2025-0289 (insecure kernel resource access, exploited by ransomware gangs). The cluster of bugs reveals a driver that was never designed with adversarial input in mind.
Exploitation
An attacker opens a handle to the BioNTdrv device and sends a single crafted IOCTL. The null dereference fires, the kernel bugchecks, and the machine blue-screens. No privilege escalation occurs. The practical use is disruption: forcing a reboot on a target system, or combining with other attacks where a controlled crash serves a timing purpose.
Exploitation Primitive
Crafted IOCTL --> null pointer dereference --> BSoD (DoS only)
Broader Significance
On its own, CVE-2025-0287 is a low-impact crash bug. In context, it is part of a pattern. When a single third-party driver ships with five vulnerabilities spanning null derefs, arbitrary writes, and insecure resource access, and that driver carries a Microsoft co-signature, the BYOVD threat model becomes concrete. The other four siblings in BioNTdrv.sys give full SYSTEM escalation. This one simply reminds defenders that even "minor" bugs in signed drivers have operational value when attackers can load them at will.