CVE-2025-62215

ntoskrnl.exe — race condition causes double-free in kernel heap, exploited ITW

Exploited in the Wild

Actively exploited zero-day. Discovered by MSTIC and MSRC. Added to CISA KEV.

Summary

Field	Value
Driver	ntoskrnl.exe
Vulnerability Class	Race Condition / Double-Free
CVSS	7.0
Exploited ITW	Yes
Patch Date	November 11, 2025

Root Cause

Multiple threads accessing the same kernel resource without proper synchronization cause a double-free of a kernel heap allocation. The Object Manager does not serialize concurrent handle operations on a shared object, so two threads can free the same block. The corrupted heap metadata lets an attacker overwrite adjacent memory and hijack execution flow.

Affects all supported Windows editions including Server and Windows 10 ESU.

Exploitation

Public PoCs use a 16-thread concurrent handle manipulation strategy to maximize race condition probability. Once the double-free corrupts the heap, the attacker sprays controlled data into the freed region, then manipulates tokens for SYSTEM.

Exploitation Primitive

16-thread concurrent handle manipulation → double-free in kernel heap
  → heap spray with controlled data
  → token manipulation → SYSTEM

References

• MSRC Advisory
• SOC Prime — CVE-2025-62215 Analysis
• GitHub PoC — 16-thread strategy
• HelpNetSecurity — November 2025 Patch Tuesday