CVE-2025-5942
epdlpdrv.sys -- Netskope Endpoint DLP heap overflow causes denial of service
Summary
| Field | Value |
|---|---|
| Driver | epdlpdrv.sys (Netskope Endpoint DLP) |
| Vendor | Netskope |
| Vulnerability Class | Heap-Based Buffer Overflow |
| CVSS | 5.7 (Medium) |
| Exploited ITW | No |
| Patch Date | August 13, 2025 |
Root Cause
Netskope's Endpoint DLP driver (epdlpdrv.sys) is a minifilter that monitors file operations to enforce data loss prevention policies. It runs in kernel context on every endpoint where Netskope is deployed, intercepting file I/O to inspect content against DLP rules.
The vulnerability is straightforward: the driver accepts a user-supplied length value and uses it to copy data into a kernel heap buffer without first checking that the length does not exceed the buffer's capacity. An unprivileged local user can send input with an oversized length, causing the copy to overflow the heap buffer and corrupt adjacent pool allocations.
The corruption is not controllable enough for reliable code execution. Instead, the corrupted pool metadata causes the kernel allocator to detect an inconsistency, triggering a bugcheck (BSOD). The result is a denial-of-service condition that any local user can trigger without elevated privileges.
This is distinct from CVE-2025-11156 in the same driver, which requires admin privileges. CVE-2025-5942 is reachable from an unprivileged user account, making it a more impactful DoS vector.
Exploitation
The exploitation is simple: an unprivileged user sends crafted input to the driver with a length value that exceeds the target buffer size. The heap overflow corrupts pool metadata, and the system blue-screens.
There is no privilege escalation or code execution component. The impact is purely denial of service. However, the ability for any local user to crash the system on demand is significant in enterprise environments where uptime matters and where Netskope's DLP agent is deployed across thousands of endpoints.
Exploitation Primitive
Unprivileged user sends crafted input with oversized length
-> heap overflow in epdlpdrv.sys
-> pool metadata corruption -> BSOD
Broader Significance
Security products that install kernel drivers expand the system's attack surface even as they aim to protect it. Every security agent minifilter is kernel code that processes input from potentially malicious sources. When that code has a buffer overflow reachable from unprivileged users, it creates an ironic situation: the security product becomes the vulnerability. This pattern has appeared across multiple security vendors (see also the K7 Security driver in CVE-2025-52915 and the ThreatFire driver in CVE-2025-61156). For security product vendors, kernel driver code quality is a direct security obligation to their customers.