CVE-2025-24063

ks.sys -- heap-based buffer overflow in Kernel Streaming Service allows elevation of privilege

Summary

Field	Value
Driver	ks.sys (Kernel Streaming Service)
Vulnerability Class	Buffer Overflow (Heap)
CVSS	7.8
Exploited ITW	No
Patch Date	May 13, 2025

Root Cause

The Kernel Streaming subsystem continued to produce vulnerabilities through 2025, and CVE-2025-24063 is part of that ongoing pattern. The bug is a heap-based buffer overflow in ks.sys caused by missing bounds validation when processing crafted streaming requests.

When a locally authenticated user sends a streaming request through the KS device interface, the driver allocates a kernel pool buffer to hold the request data. The problem is that the driver trusts the caller-supplied size field when determining how much data to copy into that buffer. If the actual data exceeds the allocated buffer's capacity, the copy overflows into adjacent kernel pool objects.

The overflow targets NonPagedPoolNx, where the corrupted adjacent objects can include security-sensitive kernel structures. ZeroPath published a detailed analysis of this vulnerability, providing insight into the specific validation gap and the pool corruption mechanics.

Exploitation

A locally authenticated attacker opens the KS device interface and sends crafted streaming requests with size fields that exceed the allocated buffer. The heap overflow corrupts adjacent pool objects. By spraying the pool with controlled allocations before triggering the overflow, the attacker can predict which objects will be corrupted and shape the corruption to gain a kernel read/write primitive.

From the R/W primitive, the standard escalation path applies: locate the current process token, swap it with the SYSTEM token, and the attacker's process inherits full privileges.

Exploitation Primitive

Crafted KS streaming request with oversized data
  --> heap buffer overflow in NonPagedPoolNx
  --> adjacent pool object corruption
  --> kernel R/W primitive --> token swap --> SYSTEM

Broader Significance

CVE-2025-24063 is part of the broader Kernel Streaming attack surface that DEVCORE's research brought to prominence. The KS subsystem processes media data from cameras, microphones, and other capture devices, and its device interface is accessible to any local user. The steady stream of KS vulnerabilities through 2024 and 2025 (including CVE-2025-24046, CVE-2025-24066, and CVE-2025-24067) suggests that the subsystem's input validation has systemic gaps rather than isolated oversights.

References

• MSRC Advisory
• ZeroPath -- CVE-2025-24063 Analysis