CVE-2025-24046

ks.sys -- double free from MDL chain mismanagement during frame buffer handling

Summary

Field	Value
Driver	ks.sys (Kernel Streaming)
Vulnerability Class	Double Free
CVSS	7.8
Exploited ITW	No
Patch Date	2025

Root Cause

DEVCORE's extensive audit of the Windows Kernel Streaming subsystem uncovered over 20 vulnerabilities across ks.sys, ksthunk.sys, and mskssrv.sys. CVE-2025-24046 is one of the more elegant findings: a double free caused by a subtle bookkeeping error in MDL (Memory Descriptor List) chain management.

The bug lives in the AVStream frame buffer handling path, where ks.sys acts as an intermediary between user-mode media applications and kernel-mode AVStream mini-drivers. When an IRP associated with a frame buffer completes, the driver walks the MDL chain attached to the IRP and frees each MDL. But after doing so, it fails to clear the MDL pointer stored in the IRP structure itself.

This matters because IoCompleteRequest, the kernel function that finalizes IRP completion, also walks the IRP's MDL chain and frees any MDLs it finds. Since the pointer was never nullified, IoCompleteRequest sees the same MDLs and frees them a second time. The result is a classic double-free: the same memory region is returned to the kernel pool twice.

Vulnerable Code Path

Frame buffer IRP completion
  --> ks.sys walks MDL chain and frees each MDL
  --> MDL pointer in IRP left non-null
  --> IoCompleteRequest walks same chain and frees MDLs again
  --> double-free

Exploitation

A double-free corrupts kernel heap metadata because the pool manager now believes the same memory block is available for two separate allocations. An attacker who controls the timing of subsequent allocations can arrange for a kernel object to be allocated in the "doubly-freed" region. This creates a situation where two different code paths believe they own the same memory.

From this point, the attacker can manipulate the overlapping object to forge kernel data structures, achieving arbitrary memory writes. The write primitive leads to standard SYSTEM escalation via token manipulation.

Exploitation Primitive

Frame buffer IRP completion --> MDL double-free
  --> pool metadata corruption
  --> controlled object allocated in doubly-freed region
  --> arbitrary memory write --> SYSTEM

Broader Significance

CVE-2025-24046 highlights how easy it is for resource cleanup code to contain latent bugs. The ks.sys driver correctly freed its MDLs but forgot to tell the rest of the kernel it had done so. The IRP completion machinery, which also frees MDLs as a safety net, became a liability rather than a safeguard. DEVCORE's 20+ findings across the kernel streaming subsystem demonstrate that media subsystem drivers, often overlooked in security audits, contain a rich attack surface accessible from any user with a camera or microphone.

References

• DEVCORE -- Frame by Frame, Kernel Streaming Keeps Giving Vulnerabilities
• DEVCORE -- Streaming Vulnerabilities Part I
• DEVCORE -- Streaming Vulnerabilities Part II