Kernel Streaming WOW Thunk Service Driver Exploit: Unpacking CVE-2025-49675's Use-After-Free Flaw

Introduction

A critical use-after-free vulnerability, CVE-2025-49675, has emerged in the Windows Kernel Streaming WOW Thunk Service Driver, posing significant risks of privilege escalation to SYSTEM level. This vulnerability, patched by Microsoft in July 2025, underscores ongoing challenges in securing legacy Windows subsystems.

Technical Information

The vulnerability resides specifically within the ks.sys driver, responsible for handling Windows-on-Windows (WOW) compatibility for legacy kernel-mode streaming components. The flaw occurs due to improper memory management, where the driver accesses pointers referencing memory locations that have already been freed, creating a use-after-free condition (CWE-416).

Attackers exploit this vulnerability by issuing specially crafted I/O control calls (IOCTLs) to ks.sys, triggering a race condition that corrupts memory structures. Successful exploitation allows attackers to overwrite critical kernel structures or function pointers, redirecting execution to attacker-controlled payloads with elevated SYSTEM privileges.

Attack Vectors

Local Exploitation: Requires attacker to have local access to the system.
Exploit Chain Potential: Could be combined with remote code execution vulnerabilities for comprehensive system compromise.

Affected Systems and Versions

Windows 11 24H2
Windows Server 2025
Legacy Windows versions utilizing WOW subsystems

Patch Information

Microsoft has released a security update addressing CVE-2025-49675, specifically targeting the Windows Routing and Remote Access Service (RRAS). The patch ensures RRAS correctly handles specific network packets, mitigating the risk of unauthorized remote code execution.

Administrators should promptly apply updates available via Windows Update or directly from the Microsoft Update Catalog. Adhering to Microsoft's deployment guidelines is essential to ensure effective protection against this vulnerability.

Vendor Security History

Microsoft's security history includes recurring challenges with memory safety in legacy components, notably the Kernel Streaming WOW Thunk Service Driver. Earlier in 2025, a similar vulnerability (CVE-2025-24995) was identified, highlighting persistent issues in securing these subsystems. Microsoft's response to CVE-2025-49675 was notably swift, with a patch released within 37 days of disclosure.

References

Source: This report was created using AI

If you have suggestions for improvement or feedback, please reach out to us at [email protected]

Analyzing CVE-2025-49675, a critical use-after-free vulnerability in Windows Kernel Streaming WOW Thunk Service Driver enabling local privilege escalation.

CVE Analysis