Skip to content

KernelSight

CVE-2025-1533

CVE-2025-1533

AsIO3.sys — stack-based buffer overflow in IRP_MJ_CREATE handler via extended-length path

Summary

Field	Value
Driver	`AsIO3.sys`
Vendor	ASUS
Vulnerability Class	Buffer Overflow (Stack)
TALOS ID	TALOS-2025-2144
Exploited ITW	No
Status	Blocklisted

Affected Functions

Win32PathToNtPath (called from IRP_MJ_CREATE handler)

Root Cause

The IRP_MJ_CREATE handler calls Win32PathToNtPath to convert the path of the requesting process from a Win32 path to an NT path. The function copies the input path into a stack buffer sized for approximately MAX_PATH (260) characters — a 255-character fixed buffer on the stack.

The developers assumed that Windows paths could not exceed MAX_PATH. In practice, extended-length paths (prefixed with \\?\) can reach 32,767 characters. No length validation is performed before the copy, so supplying a path longer than 255 characters overflows the stack buffer.

Vulnerable Code Path

IRP_MJ_CREATE
  → Win32PathToNtPath
    → copies caller path into 255-char stack buffer (no length check)
    → stack buffer overflow

Exploitation

The overflow overwrites the return address and adjacent stack frames. Combined with the authorization bypass in CVE-2025-3464 (needed to reach the vulnerable code path), an attacker could chain this for kernel code execution.

In practice, the Talos researchers did not use this vulnerability in their final exploit chain — they instead leveraged the driver's existing IOCTL primitives after bypassing authorization. The stack overflow remains a viable alternative entry point.

Exploitation Primitive

Extended-length path (>255 chars) → stack buffer overflow in Win32PathToNtPath
  → return address overwrite → kernel code execution

Patch Analysis

Add length validation in Win32PathToNtPath to reject paths exceeding the stack buffer size before the copy operation.

Detection

YARA Rule

rule CVE_2025_1533_AsIO3 {
    meta:
        description = "Detects AsIO3.sys versions vulnerable to stack overflow in Win32PathToNtPath"
        cve = "CVE-2025-1533"
        author = "KernelSight"
        severity = "high"
    strings:
        $mz = { 4D 5A }
        $driver_name = "AsIO3" wide ascii nocase
        $func = "Win32PathToNtPath" ascii
    condition:
        $mz at 0 and $driver_name and $func
}

Behavioral Indicators

Process with extended-length path (>260 characters) attempting to open AsIO3.sys device
Stack corruption / bugcheck following IRP_MJ_CREATE to AsIO3 device

Techniques Used

Technique	KernelSight Page
Stack Buffer Overflow	Buffer Overflow

References