CVE-2025-11156
epdlpdrv.sys — Netskope Endpoint DLP driver null pointer dereference causes denial of service
Summary
| Field | Value |
|---|---|
| Driver | epdlpdrv.sys (Netskope Endpoint DLP) |
| Vendor | Netskope |
| Vulnerability Class | Null Pointer Dereference |
| CVSS | 5.9 (Medium) |
| Exploited ITW | No |
| Patch Date | November 28, 2025 |
Root Cause
The epdlpdrv.sys minifilter driver assumes it will always be loaded through the Netskope client stack. It never checks whether the client-provided runtime context actually exists before dereferencing it. A local admin can register the driver as a bare kernel service, bypassing the client entirely. The driver starts, reads a null context pointer, and crashes.
Exploitation
A local admin runs sc create (or equivalent) to register epdlpdrv.sys as a plain kernel service. The driver starts without the Netskope client context, dereferences null, and blue-screens the machine.
No code execution -- DoS only. But the driver is a signed third-party minifilter, so it doubles as a BYOVD weapon for killing endpoint protection on a target box.
Exploitation Primitive
Admin registers epdlpdrv.sys as kernel service
→ driver loads without client context
→ null pointer dereference → BSOD