CVE-2025-53803
ntoskrnl.exe -- information disclosure via unsanitized kernel memory returned to user mode
Summary
| Field | Value |
|---|---|
| Driver | ntoskrnl.exe |
| Vulnerability Class | Information Disclosure |
| CVSS | 5.5 |
| Exploited ITW | No |
| Patch Date | September 9, 2025 |
Root Cause
The NT kernel exposes various information classes through system calls like NtQuerySystemInformation and related APIs. Each information class returns specific data about the running system, and the kernel is responsible for ensuring that the returned buffers contain only the intended data. In this case, it fails to do so.
When a user-mode process queries a specific information class, the kernel populates a response buffer from internal data structures. The problem is that the kernel does not zero-initialize the output buffer before filling it, and it does not sanitize gaps or padding fields. The result is that kernel heap contents, including fragments of previously freed allocations, end up in the response data returned to user mode.
These leaked bytes can contain kernel pointers, pool metadata, or other sensitive information that reveals the kernel's memory layout. For an attacker, this is a KASLR bypass: the leaked addresses disclose where kernel modules, object types, or specific allocations reside in memory.
Exploitation
The attacker calls the vulnerable information class query from a standard user-mode process. No special privileges are required beyond normal user-level access to the system call. The returned buffer contains unsanitized kernel data mixed in with the legitimate response fields.
By parsing the response buffer and identifying pointer-sized values that fall within kernel address ranges, the attacker extracts kernel addresses. These addresses defeat KASLR and provide the targeting information needed for a separate memory corruption exploit to achieve SYSTEM escalation.
Exploitation Primitive
NtQuerySystemInformation (specific info class) -> unsanitized response buffer
-> kernel heap contents leaked to user mode
-> kernel address extraction -> KASLR bypass
Broader Significance
Information disclosure bugs in ntoskrnl.exe are among the most valuable primitives for exploit developers. They turn theoretical kernel exploits into practical ones by providing the address information needed to target specific kernel objects. Microsoft has been systematically adding zero-initialization to kernel output buffers, but the sheer number of information classes and output paths means that gaps continue to be found. This CVE, paired with CVE-2025-53804 (patched the same day), suggests a focused audit found multiple instances in the same patch cycle.