Tech News
← Back to articles

Heap-based buffer overflow in Kernel Streaming

2025-10-31 | original
read original related products more articles

Reading Time: 4 minutes

From time to time, while digging through internals during our research, we stumble upon quirks or vulnerabilities that, although not immediately useful for operations or exploitation, are still noteworthy. Rather than letting these findings fade away, we decided to responsibly disclose them to the vendor. One such case is CVE-2025-53149, a heap-based buffer overflow in the Kernel Streaming WOW Thunk Service Driver, which Microsoft patched on August 12, 2025.

The vulnerable component is the ksthunk.sys driver, SHA-1 68B5B527550731DD657BF8F1E8FA31E895A7F176 .

Kernel Streaming

Kernel streaming, often abbreviated as KS, is a foundational technology within the Windows operating system for handling real-time data streams, particularly for multimedia applications. It provides a low-latency, high-performance architecture that allows devices and applications to efficiently process and transport large volumes of data, such as audio and video.

KSThunk, short for “Kernel Streaming WOW Thunk Service,” is a specific component within the Windows operating system that plays a crucial role in maintaining backwards compatibility for multimedia applications. It is a system driver file ( ksthunk.sys ) that is primarily used on 64-bit versions of Windows. The core purpose of KSThunk is to act as a “thunk” layer: a small piece of code that translates requests between different environments. In this case, it bridges the gap between 32-bit user-mode applications and the 64-bit kernel-mode drivers that manage real-time media streams.

Static analysis

We discovered the vulnerability in the CKSAutomationThunk::HandleArrayProperty() function of the ksthunk.sys driver. Looking at the IOCTL dispatching code in the CKSThunkDevice::DispatchIoctl() function, it can be noted that CKSAutomationThunk::ThunkPropertyIrp() will be called when the calling process is usermode and wow64 :

CKSAutomationThunk::ThunkPropertyIrp() perform checks on the input buffer length and reads the KSPROPERTY.Flags . If the two lowest bits are 0, then the function returns 1. But if the KSPROPERTY.Flags has set KSPROPERTY_TYPE_SET or KSPROPERTY_TYPE_GET , then the request is going to be processed with an additional property set, as shown in the image below:

On line 41, a PropertySet can be seen, which is an array of 6 KSPROPERTY_SET structures:

... continue reading

Related:
The importance of past rifting in large igneous province development
Analyzing the Performance of WebAssembly vs. Native Code
An eBPF Loophole: Using XDP for Egress Traffic
A friendly tour of process memory on Linux
WebAssembly (WASM) arch support for the Linux kernel

© 2025 GoKawiil