Windows Heap-based Buffer Overflow Vulnerability Let Attackers Elevate Privileges

Cybersecurity

On Mon, Aug 12, 2025, Microsoft released a patch addressing a critical vulnerability in the Kernel Streaming WOW Thunk Service Driver (ksthunk.sys). The vulnerability, identified as CVE-2025-53149, allows local attackers to execute code with elevated privileges on a target machine.

Technical Details

The flaw is a heap-based buffer overflow located in the CKSAutomationThunk::HandleArrayProperty() function of the ksthunk.sys driver (SHA-1: 68B5B527550731DD657BF8F1E8FA31E895A7F176). This component is crucial for ensuring compatibility between 32-bit user-mode applications and 64-bit kernel-mode drivers, managing multimedia data streams.

Specifically, the vulnerability arises when the driver handles requests to retrieve properties from devices using the Kernel Streaming interface. The code fails to verify whether the output buffer is large enough to accommodate the data, leading to a potential overflow.

Impact and Mitigation

An attacker could exploit this by sending a crafted request from a 32-bit application, potentially allowing the execution of arbitrary code with kernel-level privileges. To exploit this, an attacker must execute code on the target system and interact with a device supporting the vulnerable property set.

Microsoft’s update rectifies the issue by implementing proper size checks for the output buffer, aborting operations if the buffer is insufficient. Users and administrators are advised to apply the latest security updates to protect systems from CVE-2025-53149.