Windows KASLR Bypass – CVE-2025-53136
6 hours ago
- #Windows Security
- #Kernel Vulnerability
- #Race Condition
- Microsoft mitigated traditional kernel information leaks in Windows 11/Windows Server 2022 24H2 by suppressing kernel base addresses unless the caller had SeDebugPrivilege.
- A new kernel address leak vulnerability (CVE-2025-53136) was discovered during patch analysis for CVE-2024-43511, involving a race condition in RtlSidHashInitialize().
- The vulnerability allows leaking kernel addresses from any token handle, exploitable from Low IL or AppContainer, and can be chained with other vulnerabilities for LPE.
- Exploitation involves two threads: one to read the kernel address and another to perform the syscall repeatedly to win the race condition.
- The exploit is reliable due to a wide time window for reading the kernel address, demonstrated on the latest Windows Insider Preview.
- Patch analysis is crucial for improving bug-finding skills and secure coding, as fixes can introduce new vulnerabilities.
- Disclosure timeline highlights challenges in reporting and Microsoft's initial dismissal before acknowledging the bug.