CVE-2025-53804
ntoskrnl.exe -- information disclosure via uninitialized kernel memory
Summary
| Field | Value |
|---|---|
| Driver | ntoskrnl.exe |
| Vulnerability Class | Information Disclosure |
| CVSS | 5.5 |
| Exploited ITW | No |
| Patch Date | September 9, 2025 |
Root Cause
Patched alongside CVE-2025-53803 in the September 2025 cycle, this is a second instance of the NT kernel returning uninitialized memory to user-mode processes through a driver information query path.
The root cause is the same class of issue: the kernel allocates a buffer to hold response data for an information query, but does not fully initialize all fields before copying the buffer back to user mode. Uninitialized bytes in the response contain whatever data previously occupied that memory region on the kernel heap. This can include kernel pointers, object addresses, pool tags, and other metadata that reveals the internal structure of kernel memory.
The distinction from CVE-2025-53803 is the specific information class and code path involved. Both were likely discovered during the same audit pass, as they share the same vulnerability class, the same CVSS score, and the same patch date.
Exploitation
The exploitation model mirrors CVE-2025-53803 exactly. A standard user-mode process calls the vulnerable information query, receives a response buffer containing kernel heap residue, and parses out kernel addresses to defeat KASLR.
As a standalone vulnerability, this provides only information disclosure. Its value is as a building block: paired with any kernel memory corruption bug, the leaked addresses turn an unreliable exploit into a targeted one.
Exploitation Primitive
Kernel information query -> uninitialized response buffer
-> kernel heap contents returned to user mode
-> address extraction -> KASLR bypass
Broader Significance
The fact that two separate information disclosure bugs were patched in the same ntoskrnl.exe update reinforces a broader point: kernel information leaks are endemic. Every information class that returns data from kernel space is a potential leak vector if the output buffer is not fully initialized. Microsoft has made significant progress in reducing this attack surface through compiler-level initialization and manual audits, but the kernel's large API surface means new instances continue to surface. For defenders, these bugs are a reminder that KASLR alone is not a security boundary; it is a speed bump that information leaks routinely flatten.