NT OS Kernel Information Disclosure Vulnerability
10 comments
·September 11, 2025KyleBerezin
btreecat
I still think of the lessons learned from a root traverse bug I accidentally coded into one of our internal apps as a jr dev.
You could change the URL of the image, and get any file off the system to download as long as the service account had read access.
Invaluable XP, and really glad everything was behind AD authentication and internal users were trustworthy enough and operating in a network isolated context.
Jare
I went to check when the bug had been patched, and was left wanting. I however lack the expertise to really appreciate how much danger exists in practice, or for whom. I just know I do have Win11 24H2 and "This leak primitive is particularly useful for Windows versions 24H2 or later"
Ethee
If you follow the CVE link included: https://msrc.microsoft.com/update-guide/vulnerability/CVE-20...
It would seem this was patched in the Aug 12 security patch rollout.
null
MattSteelblade
This type of exploit is useful as part of a chain of exploits; it defeats a defense-in-depth protection.
twoodfin
Specifically, it leaks a kernel address inside a security-sensitive structure, which is supposed to be unpredictable / unknowable because the layout of kernel memory is randomized.
If you have another exploit that will write bytes under the attacker’s control to an attacker-supplied kernel address, you will be able to do the Windows equivalent of escalate to root.
lysace
Random: Perhaps that full source code leak in 2004 actually helped harden the kernel, long term?
https://betanews.com/2004/02/13/windows-source-leak-traces-b...
skyekz
[dead]
asmz4
[dead]
I find myself thinking "wow, what an obvious bug. How did Microsoft not catch that?" but then I think back to some of my own extremely obvious bugs. Thankfully my code is much lower impact.