CVE-2025-24046

ks.sys — double free from MDL chain mismanagement during frame buffer handling

Summary

Field	Value
Driver	ks.sys (Kernel Streaming)
Vulnerability Class	Double Free
CVSS	7.8
Exploited ITW	No
Patch Date	2025

Root Cause

When an IRP completes, ks.sys releases MDLs in the MDL chain but does not clear the MDL pointer stored in the IRP. IoCompleteRequest then frees the MDL a second time, causing a double-free. This happens during AVStream frame buffer handling, where ks.sys acts as an intermediary between user-mode applications and kernel-mode AVStream mini-drivers.

Discovered by DEVCORE as part of their extensive kernel streaming attack surface research, which identified 20+ vulnerabilities across the streaming subsystem.

Vulnerable Code Path

Frame buffer IRP completion
  → ks.sys releases MDLs in MDL chain
  → MDL pointer in IRP not cleared
  → IoCompleteRequest frees MDL again → double-free

Exploitation

The double-free corrupts kernel heap metadata. An attacker who controls the heap layout can forge kernel objects in the freed region to achieve arbitrary memory writes.

Exploitation Primitive

Frame buffer IRP → MDL double-free → heap corruption → arbitrary write → SYSTEM

References

• DEVCORE — Frame by Frame, Kernel Streaming Keeps Giving Vulnerabilities
• DEVCORE — Streaming Vulnerabilities Part I
• DEVCORE — Streaming Vulnerabilities Part II