CVE-2025-32722
storport.sys -- buffer over-read leaks kernel memory
Summary
| Field | Value |
|---|---|
| Driver | storport.sys (Storage Port Driver) |
| Vulnerability Class | Information Disclosure (Buffer Over-Read) |
| CVSS | 5.5 |
| Exploited ITW | No |
| Patch Date | June 10, 2025 |
Root Cause
The Windows Storage Port driver sits between the storage class driver and the miniport, handling the translation of storage requests. This vulnerability exists because storport.sys does not properly enforce buffer boundaries when processing certain storage request blocks.
When a storage request arrives with a response buffer, the driver copies data back to the caller without checking whether the amount of data being returned actually fits within the declared buffer size. The over-read pulls in whatever kernel memory happens to follow the legitimate data in the pool allocation. From the caller's perspective, the extra bytes look like part of the response, but they actually contain fragments of unrelated kernel heap contents.
Exploitation
An attacker on the local machine crafts storage port requests designed to trigger the over-read condition. The returned buffer contains kernel memory contents beyond the intended response data. These leaked bytes can reveal kernel addresses, defeating KASLR and providing the foundation for a more powerful exploit chain.
While the vulnerability itself is limited to information disclosure (CVSS 5.5), kernel address leaks are a critical prerequisite for most modern kernel exploits. In a real attack, this would likely be paired with a separate memory corruption vulnerability to achieve full privilege escalation.
Exploitation Primitive
Crafted storage port request -> buffer over-read
-> kernel memory contents returned to user mode
-> KASLR bypass / address leak
Broader Significance
Information disclosure bugs in kernel drivers are often underestimated because they do not directly grant code execution. In practice, they are essential building blocks. With KASLR active on all modern Windows systems, an attacker needs a reliable address leak before most EoP exploits become practical. Bugs like this one in storport.sys fill that role, turning a theoretical kernel exploit into a working one.