A significant security flaw has been identified in a core Windows driver, potentially enabling local attackers to execute code with the highest system privileges, thereby seizing full control of the affected machine.
Understanding the Vulnerability
Designated as CVE-2025-53149, this heap-based buffer overflow vulnerability resides in the Kernel Streaming WOW Thunk Service Driver (`ksthunk.sys`). Microsoft addressed this issue in its security updates released on August 12, 2025.
The flaw was uncovered by security researchers during internal analysis. Following a responsible disclosure process, the vulnerability was reported to Microsoft, leading to the development and release of a patch.
Role of `ksthunk.sys` in Windows Systems
The `ksthunk.sys` driver plays a pivotal role in maintaining backward compatibility on 64-bit versions of Windows. It functions as a thunk layer—a small piece of code that translates requests between different system architectures. Specifically, it bridges the gap between 32-bit user-mode applications and 64-bit kernel-mode drivers that manage real-time data streams for audio and video.
This driver is integral to the broader Kernel Streaming (KS) framework, a foundational Windows technology for handling high-performance, low-latency multimedia data. By enabling older 32-bit software to interact with modern 64-bit kernel components, KSThunk ensures that legacy applications continue to function correctly. However, it is within this complex translation process that the security flaw was discovered.
Technical Details of the Vulnerability
The vulnerability is located in the `CKSAutomationThunk::HandleArrayProperty()` function of the `ksthunk.sys` driver (SHA-1: 68B5B527550731DD657BF8F1E8FA31E895A7F176). An attacker can exploit this flaw by sending a specially crafted request from a 32-bit application to a device that utilizes the Kernel Streaming interface.
The core issue lies in how the driver handles requests to retrieve specific properties from a device, such as `KSPROPSETID_VPConfig`. The vulnerable code path first calls a function to determine the size of the data that needs to be returned. It then prepares to copy this data into an output buffer provided by the user-mode application.
The critical oversight is a missing validation step. While the function checks that the provided output buffer isn’t empty, it fails to verify if the buffer is sufficiently large to hold the data it is about to receive from the device. Consequently, when the driver proceeds to copy the data, it can write past the boundary of the allocated buffer. This action results in a heap-based buffer overflow within the kernel’s non-paged pool, a critical memory region.
A successful exploit could allow an attacker to corrupt kernel memory and execute arbitrary code with kernel-level privileges.
Exploitation Prerequisites
To exploit this vulnerability, an attacker would need to run code on a target system and make a specific `DeviceIoControl` call. However, there is a significant prerequisite: the system must have a hardware device installed that supports the vulnerable property set (`KSPROPSETID_VPConfig` or `KSPROPSETID_VPVBIConfig`). While researchers were unable to find such a device on their test systems, the vulnerability remains a threat on systems where one is present.
Mitigation Measures
Microsoft has addressed the vulnerability in the patched version of `ksthunk.sys`. The updated driver now includes the necessary size check, ensuring that the output buffer is large enough before the copy operation begins. If the buffer is too small, the operation is safely aborted.
Users and administrators are strongly advised to apply the latest Windows security updates to protect their systems against CVE-2025-53149 and other potential threats.
