CVE-2025-49675

ksthunk.sys -- use-after-free in WOW64 thunk allows elevation of privilege

Summary

Field	Value
Driver	ksthunk.sys (Kernel Streaming WOW64 Thunk)
Vulnerability Class	Use-After-Free
CVSS	7.8
Exploited ITW	No
Patch Date	July 8, 2025

Root Cause

The Kernel Streaming WOW64 Thunk driver (ksthunk.sys) exists to bridge the gap between 32-bit applications and 64-bit kernel streaming infrastructure. When a 32-bit process on a 64-bit system issues a kernel streaming request, ksthunk.sys translates the 32-bit structures into their 64-bit equivalents before passing them to the actual KS driver.

The vulnerability arises from mismanaged object lifetimes during this translation. The thunk layer allocates temporary objects to hold the translated structures, but the code that frees these objects and the code that uses them are not properly synchronized. Under specific conditions triggered by crafted 32-bit kernel streaming operations, a thunk object is freed while a reference to it remains active. The subsequent dereference through the stale pointer hits memory that is now on the free list and available for reclamation.

ZeroPath published an analysis detailing how the object lifetime mismatch manifests in the thunk translation path.

Exploitation

An attacker running a 32-bit process on a 64-bit Windows system crafts kernel streaming operations that trigger the thunk translation path. The specific operations are designed to create the lifetime mismatch: one code path frees the thunk object while another retains a reference.

After the free occurs, the attacker sprays the kernel heap with controlled data to reclaim the freed allocation. When the stale pointer is dereferenced, it operates on the attacker's data instead of a legitimate thunk object. This provides a kernel memory corruption primitive that can be parlayed into SYSTEM privilege escalation through standard techniques like token swapping.

Exploitation Primitive

32-bit KS operation on 64-bit system -> ksthunk.sys translation
  -> thunk object freed with active reference -> UAF
  -> heap reclaim with controlled data -> kernel corruption -> SYSTEM

Broader Significance

The WOW64 thunk layer is a niche attack surface that is easy to overlook. Most security research focuses on the primary kernel streaming drivers, but the translation layer introduces its own set of object lifetime assumptions that may not hold under adversarial conditions. The fact that the vulnerability is only reachable from 32-bit processes is both a limitation (the attacker must use a 32-bit binary) and an advantage (defenders may not monitor 32-bit KS activity as closely).

References

• MSRC Advisory
• ZeroPath -- CVE-2025-49675 Analysis