CVE-2025-24066
ks.sys — heap-based buffer overflow via crafted IOCTL request
Summary
| Field | Value |
|---|---|
| Driver | ks.sys (Kernel Streaming Service Driver) |
| Vulnerability Class | Buffer Overflow (Heap) |
| CVSS | 7.8 |
| Exploited ITW | No |
| Patch Date | March 11, 2025 |
Root Cause
The Kernel Streaming Service Driver does not validate input length before processing a crafted IOCTL request. The unvalidated length causes a heap buffer overwrite in the non-paged pool. Part of ongoing kernel streaming attack surface research that has found 20+ vulnerabilities across ks.sys, ksthunk.sys, and mskssrv.sys.
Exploitation
A locally authenticated attacker sends a crafted IOCTL to overflow a heap buffer, corrupting adjacent pool objects for privilege escalation.
Exploitation Primitive
Crafted IOCTL → heap buffer overflow in ks.sys → adjacent pool corruption → SYSTEM