CVE-2025-24066
ks.sys -- heap-based buffer overflow via crafted IOCTL request
Summary
| Field | Value |
|---|---|
| Driver | ks.sys (Kernel Streaming Service Driver) |
| Vulnerability Class | Buffer Overflow (Heap) |
| CVSS | 7.8 |
| Exploited ITW | No |
| Patch Date | March 11, 2025 |
Root Cause
DEVCORE's systematic audit of the Windows Kernel Streaming subsystem, which began with their Pwn2Own 2024 research, continued to yield results well into 2025. CVE-2025-24066 is one of the findings from that campaign: a heap buffer overflow in ks.sys triggered by a crafted IOCTL.
The driver fails to validate the input length field in an IOCTL request before using it in a memory operation. The unvalidated length causes a buffer overwrite in the non-paged pool when the driver copies more data than the destination buffer can hold. This is the same fundamental pattern seen across multiple KS vulnerabilities: caller-supplied sizes are trusted without bounds checking.
The vulnerability is part of a broader attack surface that spans ks.sys, ksthunk.sys, and mskssrv.sys, all components of the kernel streaming pipeline that processes media data from capture devices. DEVCORE found 20+ vulnerabilities across these drivers, suggesting that input validation was not applied consistently during the subsystem's development.
Exploitation
A locally authenticated attacker sends a crafted IOCTL to the ks.sys device with a length field that exceeds the allocated buffer. The resulting heap overflow corrupts adjacent non-paged pool objects.
The attacker prepares the pool layout before triggering the overflow, spraying allocations of a controlled size to ensure predictable adjacency. The corrupted object provides a kernel memory corruption primitive that leads to SYSTEM privilege escalation through token manipulation.
Exploitation Primitive
Crafted IOCTL with oversized length field
--> heap buffer overflow in ks.sys non-paged pool
--> adjacent pool object corruption
--> kernel memory primitive --> SYSTEM
Broader Significance
CVE-2025-24066, alongside CVE-2025-24046, CVE-2025-24063, and CVE-2025-24067, demonstrates that the kernel streaming subsystem was a systemic source of privilege escalation bugs in 2025. DEVCORE's research showed that once a researcher understands the KS architecture and its IOCTL dispatch patterns, finding additional overflow opportunities becomes almost mechanical. The lesson for driver developers is that any subsystem with multiple IOCTL handlers needs systematic validation audits, not just spot checks on individual handlers.