CVE-2025-24052
ltmdm64.sys -- stack buffer overflow in Agere Modem driver allows elevation of privilege
Summary
| Field | Value |
|---|---|
| Driver | ltmdm64.sys (Agere Modem) |
| Vulnerability Class | Buffer Overflow (Stack) |
| CVSS | 7.8 |
| Exploited ITW | No (publicly disclosed) |
| Patch Date | October 14, 2025 |
Root Cause
The Agere modem driver is a legacy component that ships as an inbox driver with every Windows installation, despite the fact that dial-up modems have been essentially extinct for over a decade. Like its sibling vulnerability CVE-2025-24990, the driver's continued presence in Windows creates attack surface that exists purely for historical compatibility reasons.
The stack buffer overflow occurs when ltmdm64.sys processes crafted input without checking sizes. The driver copies user-supplied data into a fixed-size buffer on the kernel stack. No length validation is performed before the copy, so oversized input overwrites the return address and adjacent stack frames.
The combination of being a legacy inbox driver (present everywhere), having no practical use case on modern systems, and containing a straightforward stack overflow made ltmdm64.sys a notable finding. Microsoft ultimately decided to remove the driver entirely rather than patch it (see CVE-2025-24990), though that removal came in the same October 2025 update.
Exploitation
The attacker sends crafted input to the modem driver's device interface. The stack overflow overwrites the return address on the kernel stack, giving the attacker control of the instruction pointer when the function returns. From kernel code execution, escalation to SYSTEM is trivial.
The attack requires only local access. No modem hardware needs to be present because the driver is loaded and accessible regardless of hardware configuration.
Exploitation Primitive
Crafted input to ltmdm64.sys device
--> stack buffer overflow (no length validation)
--> return address overwrite
--> kernel code execution --> SYSTEM
Broader Significance
CVE-2025-24052 is a case study in legacy attack surface. The Agere modem driver serves no purpose on modern systems, yet it ships on every Windows installation and exposes a kernel device object that any local user can interact with. The stack overflow inside is the kind of bug that automated fuzzing would catch quickly, yet it survived in an inbox driver for years. Together with CVE-2025-24990, it forced Microsoft to acknowledge that removing the driver entirely was the correct response rather than continuing to maintain dead code.