Microsoft Windows Kernel-Mode Driver Remote Code Execution Vulnerability

A use-after-free vulnerability has been identified in Windows kernel-mode drivers, allowing an authorized attacker to execute code remotely over a network. This vulnerability arises during the connection handshake process, where a specially crafted NVMe over Fabrics response message can be sent, exploiting an invalid header length value.

Impact

Exploitation of this vulnerability could lead to remote code execution on the affected system.

Reproduction

To reproduce this vulnerability, an authorized attacker must wait for a user to initiate a connection to a malicious server. During the connection handshake, the attacker can send a crafted NVMe over Fabrics response that includes an invalid header length, exploiting the use-after-free condition.

Remediation

Users can apply the security update available through the Microsoft Update Catalog. For Windows Server 2025, the security update is KB5087539, and the security hotpatch update is KB5087423.