Windows Kernel Elevation of Privilege - Race Condition / Double-Free (CVE-2025-62215)
by dexterm300 · 2026-05-17
- Severity
- High
- CVE
- CVE-2025-62215
- Category
- binary
- Affected product
- Windows Kernel (ntoskrnl.exe / kernel resource synchronization)
- Affected versions
- Windows 10 (multiple versions), Windows 11 (multiple versions), Windows Server editions (pre-November 2025 patches)
- Disclosed
- 2026-05-17
- Patch status
- patched
Tags
References
Archive entry
intelseclab/poc-archiveMetadata
| Field | Value |
|---|---|
| Date Added | 2026-05-17 |
| Last Updated | 2025-11-14 |
| Author / Researcher | dexterm300 |
| CVE / Advisory | CVE-2025-62215 |
| Category | binary |
| Severity | High |
| CVSS Score | 7.0 (CVSSv3) |
| Status | Weaponized |
| Tags | EoP, Windows kernel, race condition, double-free, heap corruption, 0day, SYSTEM, Windows 10, Windows 11 |
| Related | N/A |
Affected Target
| Field | Value |
|---|---|
| Software / System | Windows Kernel (ntoskrnl.exe / kernel resource synchronization) |
| Versions Affected | Windows 10 (multiple versions), Windows 11 (multiple versions), Windows Server editions (pre-November 2025 patches) |
| Language / Platform | C++, Windows x64 |
| Authentication Required | Yes (local authenticated user) |
| Network Access Required | No (local only) |
Summary
CVE-2025-62215 is a Windows Kernel Elevation of Privilege vulnerability disclosed and patched in November 2025, confirmed to have been actively exploited as a zero-day in the wild prior to patching. The bug combines a race condition in kernel resource synchronization (CWE-362) with a resulting double-free memory corruption (CWE-415), ultimately allowing a local authenticated attacker to execute arbitrary code at SYSTEM privilege level. The PoC includes three components: a primary exploit, an advanced exploit module, and a system information utility.
Vulnerability Details
Root Cause
Two interrelated weaknesses form the root cause:
- Race Condition (CWE-362): Multiple kernel threads access shared resources without proper synchronization, creating a time-of-check to time-of-use (TOCTOU) window.
- Double-Free (CWE-415): Once the race condition is won, a double-free bug is triggered in the kernel heap allocator, leading to heap corruption that can be shaped into an arbitrary write primitive.
The combination allows an attacker to gain control over kernel memory layout and inject shellcode or overwrite security-sensitive kernel structures to elevate from a standard user to SYSTEM.
Attack Vector
A local authenticated user runs the exploit binary. The exploit repeatedly races kernel threads against each other to win the synchronization window, triggers the double-free condition, and then exploits the resulting heap corruption. A pool spray or heap shaping technique is used to place attacker-controlled data at the freed memory location, which is then used to overwrite a kernel token or callback pointer to achieve SYSTEM privileges.
Impact
Full local privilege escalation to SYSTEM on affected Windows 10, Windows 11, and Windows Server systems. An attacker already authenticated on the system (e.g., via phishing, initial access, or lateral movement) can use this to fully compromise the machine, disable security tools, dump credentials, or establish persistence as SYSTEM.
Environment / Lab Setup
OS: Windows 10 / Windows 11 (pre-November 2025 patches)
Architecture: x64
Attacker: Local authenticated shell (standard user)
Tools: Visual Studio 2019+, Windows SDK, cl.exe, build.bat
Setup Steps
| |
Proof of Concept
Step-by-Step Reproduction
Check system info — Verify the target is vulnerable
1system_info.exeRun in test mode first — Verify exploit mechanics without full escalation
1exploit.exe --testRun the exploit — Execute for full SYSTEM escalation
1exploit.exe --verboseAdvanced module — For extended post-exploitation capabilities
1advanced_exploit.exe
Exploit Code
See
exploit.cpp(primary exploit) andadvanced_exploit.cpp(extended module) in this folder.
| |
Expected Output
[*] CVE-2025-62215 Windows Kernel EoP PoC
[*] Target: Windows 10/11 (pre-Nov 2025)
[*] Racing kernel threads...
[*] Race won — triggering double-free...
[*] Heap corruption achieved — overwriting token...
[+] Elevated to SYSTEM!
[+] Spawning SYSTEM shell...
Microsoft Windows [Version 10.0.xxxxx]
C:\Windows\system32>whoami
nt authority\system
Screenshots / Evidence
- N/A
Detection & Indicators of Compromise
Event ID 4688: Process creation with unexpected SYSTEM parent
Event ID 4672: Special privilege assigned to new logon (unexpected escalation)
- Standard user process spawning children with SYSTEM token
- Unusual kernel handle operations / race-condition-indicative thread patterns
- cmd.exe or powershell.exe spawned as nt authority\system from non-SYSTEM parent
SIEM / IDS Rule (example):
index=windows EventCode=4688 SubjectUserSid!="S-1-5-18" NewProcessName="*cmd.exe"
| where like(TokenElevationType, "%Full%")
Remediation
| Action | Detail |
|---|---|
| Patch | Apply Windows security updates from November 2025 or later (Patch Tuesday, November 2025) |
| Workaround | Enable kernel-mode hardware-enforced stack protection (HVCI) where supported |
| Config Hardening | Monitor and alert on unexpected privilege escalation (Event ID 4672/4688); enforce least privilege; use Credential Guard |
References
- CVE-2025-62215 NVD Entry
- GitHub Repository - dexterm300/CVE-2025-62215-exploit-poc
- CWE-362: Race Condition
- CWE-415: Double Free
Notes
Confirmed actively exploited as a zero-day prior to November 2025 disclosure. The repo includes three C++ modules: exploit.cpp (primary EoP), advanced_exploit.cpp (extended post-exploitation), and system_info.cpp (target reconnaissance). Requires only local authentication — no network access needed. The --test flag allows safer validation of exploit mechanics without attempting full escalation, useful for lab verification.
Auto-ingested from https://github.com/dexterm300/CVE-2025-62215-exploit-poc on 2026-05-17.
| |