CVE-2025-12050 Overview
CVE-2025-12050 is a buffer overflow vulnerability affecting drivers in Insyde tool packages. The drivers use the RTL_QUERY_REGISTRY_DIRECT flag when calling RtlQueryRegistryValues to read registry values. An untrusted user-mode application that can write to the queried registry key can supply oversized data, causing a kernel-mode buffer overflow [CWE-787].
The issue is documented in the Insyde Security Advisory SA-2025010. Successful exploitation can lead to local privilege escalation or arbitrary code execution in kernel context.
Critical Impact
A local low-privileged attacker can trigger an out-of-bounds write in a signed kernel driver, leading to elevation of privilege and full system compromise.
Affected Products
- Insyde tool package drivers (see vendor advisory SA-2025010 for affected components and versions)
- Systems shipping Insyde firmware utilities that bundle the vulnerable drivers
- OEM platforms distributing Insyde-supplied Windows kernel drivers
Discovery Timeline
- 2026-01-14 - CVE CVE-2025-12050 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-12050
Vulnerability Analysis
The affected drivers call RtlQueryRegistryValues with the RTL_QUERY_REGISTRY_DIRECT flag to read a registry value into a fixed-size kernel buffer. When this flag is used, the kernel writes the registry data directly into the caller-supplied buffer without verifying that the buffer can hold the value. If the registry key is writable by a non-administrative user, that user controls both the size and contents of the data delivered to the kernel.
The vulnerability requires local access and low privileges. No user interaction is needed, and successful exploitation impacts confidentiality, integrity, and availability of the host. The attack is constrained to a single system but yields kernel-level code execution.
Root Cause
Microsoft has explicitly documented RTL_QUERY_REGISTRY_DIRECT as unsafe unless paired with RTL_QUERY_REGISTRY_TYPECHECK and a tightly controlled ACL on the target key. The Insyde drivers use the flag without enforcing either mitigation. Because the destination buffer resides in kernel memory, an oversized REG_BINARY or REG_SZ value overflows adjacent kernel structures.
Attack Vector
An attacker writes a crafted oversized value to the registry key consumed by the driver, then triggers the driver to read the key. The driver issues RtlQueryRegistryValues with RTL_QUERY_REGISTRY_DIRECT, and the oversized payload is copied into the undersized kernel buffer. The overflow corrupts adjacent kernel memory, enabling control-flow hijack or privilege escalation. The vulnerability is also a viable Bring Your Own Vulnerable Driver (BYOVD) primitive, since signed copies of the driver remain valid even after patching.
No public proof-of-concept code is available. Refer to the Insyde Security Advisory SA-2025010 for vendor technical details.
Detection Methods for CVE-2025-12050
Indicators of Compromise
- Presence of vulnerable Insyde driver binaries on disk, particularly older signed versions retained after a patch
- Unexpected writes by non-administrative processes to registry keys consumed by Insyde firmware utility drivers
- Kernel crashes (BugCheck 0x139 KERNEL_SECURITY_CHECK_FAILURE or 0x3B SYSTEM_SERVICE_EXCEPTION) referencing the Insyde driver in the stack
Detection Strategies
- Inventory loaded kernel drivers and flag known-vulnerable Insyde driver hashes referenced in advisory SA-2025010
- Hunt for low-privileged processes opening registry handles to driver-controlled keys with KEY_SET_VALUE access
- Correlate driver load events (Windows Event ID 7045, Sysmon Event ID 6) with subsequent registry modifications and process privilege changes
Monitoring Recommendations
- Enable Windows Defender Application Control or Microsoft Vulnerable Driver Blocklist to block superseded Insyde drivers
- Forward kernel crash dumps and driver load telemetry to a centralized data lake for retrospective hunting
- Alert on creation of new services pointing to Insyde driver binaries outside expected installer paths
How to Mitigate CVE-2025-12050
Immediate Actions Required
- Apply the firmware utility and driver updates listed in Insyde Security Advisory SA-2025010
- Remove or quarantine older signed copies of the vulnerable drivers to prevent BYOVD reuse
- Restrict local logon and least-privilege enforcement on systems where Insyde firmware tools are installed
Patch Information
Insyde has published fixed driver versions in advisory SA-2025010. OEMs that redistribute Insyde firmware utilities should integrate the updated drivers into their service packages. After updating, verify the on-disk driver version and ensure prior vulnerable copies have been removed from C:\Windows\System32\drivers and from any installer caches.
Workarounds
- Uninstall the Insyde firmware utility on systems that do not require runtime firmware management
- Tighten ACLs on registry keys read by the driver so only SYSTEM and administrators hold KEY_SET_VALUE
- Enable the Microsoft Vulnerable Driver Blocklist and Hypervisor-Protected Code Integrity (HVCI) to reject loading of the unpatched driver
# Verify Microsoft Vulnerable Driver Blocklist is enabled on Windows
reg query "HKLM\SYSTEM\CurrentControlSet\Control\CI\Config" /v VulnerableDriverBlocklistEnable
# Audit ACL on a registry key consumed by the driver (replace path)
icacls "HKLM\SOFTWARE\Insyde\<DriverKey>"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
