CVE-2025-24067
mskssrv.sys -- heap-based buffer overflow via crafted IOCTL request
Summary
| Field | Value |
|---|---|
| Driver | mskssrv.sys (Microsoft Kernel Streaming Server) |
| Vulnerability Class | Buffer Overflow (Heap) |
| CVSS | 7.8 |
| Exploited ITW | No |
| Patch Date | March 11, 2025 |
Root Cause
While ks.sys provides the core kernel streaming framework, mskssrv.sys implements the streaming server component that coordinates data flow between kernel-mode streaming filters. CVE-2025-24067 is a heap buffer overflow in this server driver, discovered as part of DEVCORE's ongoing kernel streaming research that began with Pwn2Own 2024.
The vulnerability follows the same pattern as CVE-2025-24066 in the sister driver: a crafted IOCTL passes a size field that the driver trusts without validation. The driver allocates a buffer in the non-paged pool and copies IOCTL data into it, but the copy length is derived from the untrusted input rather than the buffer's actual capacity. The overflow corrupts adjacent pool allocations.
The fact that both ks.sys and mskssrv.sys contain nearly identical overflow patterns suggests the same validation gap was replicated across multiple drivers in the streaming subsystem, likely because they share common IOCTL dispatch patterns or were developed by the same team with the same assumptions about input trust.
Exploitation
The exploitation path mirrors that of the other kernel streaming overflows. A locally authenticated attacker sends a crafted IOCTL to the mskssrv.sys device, triggering a heap overflow in the non-paged pool. Pool spray techniques control the adjacent allocations, and the overflow corrupts a predictable kernel object.
The corrupted object provides the primitives needed for privilege escalation: typically an arbitrary read or write that enables token manipulation for SYSTEM escalation.
Exploitation Primitive
Crafted IOCTL with oversized data
--> heap buffer overflow in mskssrv.sys non-paged pool
--> adjacent pool object corruption
--> kernel memory primitive --> SYSTEM
Broader Significance
CVE-2025-24067 completes the picture of systemic input validation failures across the kernel streaming subsystem. When the same class of bug appears independently in ks.sys, mskssrv.sys, and ksthunk.sys, it indicates a subsystem-wide pattern rather than isolated oversights. DEVCORE's 20+ findings across these drivers made kernel streaming one of the most prolific sources of Windows EoP vulnerabilities in 2025.