CVE-2025-49675
ksthunk.sys — use-after-free in WOW64 thunk allows elevation of privilege
Summary
| Field | Value |
|---|---|
| Driver | ksthunk.sys (Kernel Streaming WOW64 Thunk) |
| Vulnerability Class | Use-After-Free |
| CVSS | 7.8 |
| Exploited ITW | No |
| Patch Date | July 8, 2025 |
Root Cause
The Kernel Streaming WOW64 Thunk driver mismanages object lifetimes during 32-bit to 64-bit structure translation. A freed thunk object is dereferenced through a stale pointer.
Exploitation
The attacker triggers the UAF through crafted 32-bit kernel streaming operations on a 64-bit system. Heap spraying reclaims the freed memory for a kernel corruption primitive.
Exploitation Primitive
32-bit KS operation → thunk UAF → heap reclaim
→ kernel corruption → SYSTEM