CVE-2025-26694

/* * CVE-2025-26694 PoC - NULL Pointer Dereference in Intel QAT Windows Software * This is a conceptual PoC demonstrating the vulnerability trigger mechanism. * Actual exploitation requires specific QAT API calls and input parameters. * * WARNING: This code is for educational and research purposes only. * Unauthorized testing of vulnerabilities without proper authorization is illegal. */ #include <windows.h> #include <stdio.h> /* Intel QAT API structures - simplified representation */ typedef struct _QAT_REQUEST { void* pUserData; // Pointer that can be NULL DWORD flags; DWORD inputSize; void* pInputBuffer; DWORD outputSize; void* pOutputBuffer; } QAT_REQUEST, *PQAT_REQUEST; /* Simulated vulnerable function - demonstrates NULL pointer dereference */ DWORD VulnerableQATHandler(PQAT_REQUEST pRequest) { DWORD result = 0; /* Vulnerability: Missing NULL check on pRequest->pUserData */ /* This simulates the condition that leads to NULL pointer dereference */ if (pRequest->pUserData == NULL) { printf("[*] Triggering CVE-2025-26694 - NULL pointer dereference\n"); /* Attempt to dereference NULL pointer */ *(PDWORD)pRequest->pUserData = 0xFFFFFFFF; // Triggers access violation } return result; } int main(int argc, char* argv[]) { QAT_REQUEST maliciousRequest; printf("CVE-2025-26694 PoC - Intel QAT NULL Pointer Dereference\n"); printf("Target: Intel QAT Windows software < 2.6.0\n\n"); /* Initialize malicious request with NULL pointer */ memset(&maliciousRequest, 0, sizeof(QAT_REQUEST)); maliciousRequest.pUserData = NULL; // NULL pointer triggers vulnerability maliciousRequest.flags = 0x00000001; printf("[*] Sending crafted request to QAT handler...\n"); /* Trigger the vulnerable code path */ VulnerableQATHandler(&maliciousRequest); printf("[!] If no crash occurred, the vulnerable code path was not reached.\n"); return 0; } /* * Mitigation: * 1. Upgrade Intel QAT software to version 2.6.0 or later * 2. Apply Intel SA-01373 security advisory patches * 3. Monitor for abnormal QAT service behavior */

{"cve": {"id": "CVE-2025-26694", "sourceIdentifier": "[email protected]", "published": "2025-11-11T17:15:44.900", "lastModified": "2025-11-26T15:40:18.857", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Null pointer dereference for some Intel(R) QAT Windows software before version 2.6.0. within Ring 3: User Applications may allow a denial of service. System software adversary with an authenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:intel:quickassist_technology:*:*:*:*:*:windows:*:*", "versionEndExcluding": "2.6.0-0018", "matchCriteriaId": "6416303E-851F-4530-875E-D349969919BE"}]}]}], "references": [{"url": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01373.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}