Heap-based buffer overflow in Kernel Streaming

Summary

Reading Time: 4 minutesFrom time to time, while digging through internals during our research, we stumble upon quirks or vulnerabilities that, although not immediately useful for operations or exploitation, are still noteworthy. Rather than letting these findings fade away, we decided to responsibly disclose them to the vendor. One such case is CVE-2025-53149, a heap-based buffer overflow in the Kernel Streaming WOW Thunk Service Driver, which Microsoft patched on August 12, 2025. The vulnerable component is the ksthunk.sys driver, SHA-1 68B5B527550731DD657BF8F1E8FA31E895A7F176. Kernel Streaming Kernel streaming, often abbreviated as KS, is a foundational technology within the Windows operating system for handling real-time data streams, particularly for multimedia applications. It provides a low-latency, high-performance architecture that allows devices and applications to efficiently process and transport large volumes of data, such as audio and video. KSThunk, short for “Kernel Streaming WOW Thunk Service,” is a specific component within the Windows operating system that plays a crucial role in maintaining backwards compatibility for multimedia applications. It is a system driver file (ksthunk.sys) that is primarily used on 64-bit versions of Windows. The core purpose of KSThunk is to act as a “thunk” layer: a small piece of code that translates requests between different environments. In this case, it bridges the gap between 32-bit user-mode applications and the 64-bit kernel-mode drivers that manage real-time media streams. Static analysis We discovered the vulnerability in the CKSAutomationThunk::HandleArrayProperty() function of the ksthunk.sys driver. Looking at the IOCTL dispatching code in the CKSThunkDevice::DispatchIoctl() function, it can be noted that CKSAutomationThunk::ThunkPropertyIrp() will be called when the calling process is usermode and wow64: CKSAutomationThunk::ThunkPropertyIrp() perform checks on the input buffer length and reads the KSPROPE...