CVE-2025-54110
ntoskrnl.exe -- integer overflow in size calculation allows elevation of privilege
Summary
| Field | Value |
|---|---|
| Driver | ntoskrnl.exe |
| Vulnerability Class | Integer Overflow |
| CVSS | 7.8 |
| Exploited ITW | No |
| Patch Date | September 9, 2025 |
Root Cause
Integer overflows in kernel size calculations are a classic vulnerability class that continues to appear in modern Windows. In CVE-2025-54110, the NT kernel performs an arithmetic operation to compute the size of a buffer allocation. The inputs to this calculation come, directly or indirectly, from user-supplied values.
When the attacker provides values that cause the multiplication or addition to wrap around the maximum value of the integer type, the result is a small number instead of the intended large one. The kernel allocates a buffer of this (now small) size, then proceeds to write data into it based on the original, un-wrapped values. The write exceeds the allocation boundary, producing a heap buffer overflow.
The fundamental issue is that the kernel trusts the arithmetic result without checking for overflow. Modern compilers and security tooling can detect some of these patterns, but not all size calculations pass through checked arithmetic paths, especially in legacy code.
Exploitation
The attacker identifies the specific system call or kernel interface that performs the vulnerable size calculation. By providing carefully chosen input values that cause the integer to wrap, they trigger an undersized allocation followed by an oversized write.
The resulting heap overflow corrupts adjacent pool allocations. Through standard heap grooming techniques (placing controlled objects adjacent to the target allocation), the attacker shapes the overflow to corrupt specific kernel data structures. This yields an arbitrary write or read primitive, which is then used for token manipulation and SYSTEM escalation.
Exploitation Primitive
User-supplied values -> integer overflow in size calculation
-> undersized kernel allocation -> oversized write
-> heap overflow -> adjacent object corruption -> SYSTEM
Broader Significance
Integer overflows in size calculations occupy a unique position in the vulnerability landscape. They are conceptually simple, often reducible to a single missing overflow check on a single arithmetic operation. Yet they continue to appear in production kernel code because the sheer volume of size calculations in a kernel makes comprehensive auditing difficult. Every ExAllocatePool call that computes its size from user-influenced inputs is a potential instance. The fix is typically straightforward (use safe integer arithmetic functions or add explicit overflow checks), but finding all instances requires systematic code review.