CVE-2025-0288
BioNTdrv.sys — arbitrary kernel memory write via memmove allows elevation of privilege
Summary
| Field | Value |
|---|---|
| Driver | BioNTdrv.sys (Paragon Partition Manager) |
| Vulnerability Class | Arbitrary Kernel Write |
| Exploited ITW | No |
| Vendor | Paragon Software |
Root Cause
The Paragon Partition Manager driver uses memmove with attacker-controlled source, destination, and size parameters in an IOCTL handler, giving an arbitrary kernel memory write primitive. One of five vulnerabilities in BioNTdrv.sys (alongside CVE-2025-0285, CVE-2025-0286, CVE-2025-0287, CVE-2025-0289).
Exploitation
The attacker opens the BioNTdrv device and sends IOCTLs that control the memmove parameters. Arbitrary kernel memory write provides SYSTEM privilege escalation.
Exploitation Primitive
Open device handle → memmove IOCTL
→ attacker-controlled src/dst/size → arbitrary kernel write → SYSTEM