CVE-2025-53149
ksthunk.sys — heap overflow in HandleArrayProperty from unchecked BytesReturned
Summary
| Field | Value |
|---|---|
| Driver | ksthunk.sys (Kernel Streaming WOW Thunk) |
| Vulnerability Class | Buffer Overflow (Heap) |
| CVSS | 7.8 |
| Exploited ITW | No |
| Patch Date | August 12, 2025 |
Affected Functions
CKSAutomationThunk::HandleArrayPropertyKsSynchronousIoControlDevice(called twice)
Root Cause
CKSAutomationThunk::HandleArrayProperty makes two calls to KsSynchronousIoControlDevice: the first determines the byte count, the second reads the array. The code checks OutputBufferLength against 0 but never against the actual BytesReturned from the first call. If the underlying device returns more data than the allocated buffer can hold, the second call writes past the end of the non-paged heap allocation.
The vulnerable code path is reachable by targeting KSPROPSETID_VPConfig or KSPROPSETID_VPVBIConfig property sets.
Vulnerable Code Path
CKSAutomationThunk::HandleArrayProperty
→ KsSynchronousIoControlDevice (first call: get BytesReturned)
→ allocate buffer based on OutputBufferLength (not BytesReturned)
→ KsSynchronousIoControlDevice (second call: read into undersized buffer)
→ non-paged heap overflow
Exploitation
The attacker creates a crafted kernel streaming device and sends property requests targeting VPConfig. The heap overflow corrupts adjacent non-paged pool objects.
Exploitation Primitive
Crafted KSPROPSETID_VPConfig request → HandleArrayProperty
→ OutputBufferLength < BytesReturned → heap overflow → SYSTEM