CVE-2025-24311 Overview
CVE-2025-24311 is an out-of-bounds read vulnerability in the cv_send_blockdata functionality of Dell ControlVault3 firmware. The flaw affects Dell ControlVault3 versions prior to 5.15.10.14 and Dell ControlVault3 Plus versions prior to 6.2.26.36. An authenticated local attacker can issue a specially crafted ControlVault API call to trigger the read past allocated memory. Successful exploitation leads to information disclosure from the secure processor and can also disrupt availability. The vulnerability is tracked under [CWE-125: Out-of-bounds Read].
Critical Impact
A local attacker with low privileges can leak sensitive memory contents from Dell ControlVault3 firmware, which handles credentials, biometric data, and security keys on affected Dell endpoints.
Affected Products
- Dell ControlVault3 firmware prior to 5.15.10.14
- Dell ControlVault3 Plus firmware prior to 6.2.26.36
- Dell business-class laptops shipping with ControlVault security hardware
Discovery Timeline
- 2025-06-13 - CVE-2025-24311 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-24311
Vulnerability Analysis
Dell ControlVault is a hardware-based security solution that stores passwords, biometric templates, and security codes within firmware running on a dedicated secure processor. The cv_send_blockdata function handles block-oriented data transfers between the host operating system and the ControlVault co-processor. The function fails to properly validate length or offset parameters supplied through the ControlVault API before reading from a memory buffer.
When a crafted API request specifies parameters that exceed buffer boundaries, the firmware reads memory beyond the intended allocation. The contents of adjacent memory are then returned to the caller. Because ControlVault firmware processes credential material and cryptographic state, the leaked data can include security-sensitive values. The issue also impacts availability when the read accesses unmapped regions and triggers a fault on the secure processor.
Root Cause
The root cause is missing bounds validation on user-controlled size or offset arguments processed by cv_send_blockdata. The firmware trusts client-supplied parameters when computing the source address and length for a block read. This classifies as [CWE-125], an out-of-bounds read condition where the program reads data past the end or before the beginning of an intended buffer.
Attack Vector
Exploitation requires local code execution on a host with vulnerable ControlVault firmware and the ability to issue ControlVault API calls. The attacker invokes the ControlVault host driver interface and crafts a cv_send_blockdata request with malformed parameters. The firmware processes the request and returns memory contents beyond the intended buffer. No user interaction is required, and the scope changes because the leak crosses the trust boundary from the secure processor to the host.
Technical details are documented in the Talos Vulnerability Report TALOS-2024-2127 and the Dell Security Advisory DSA-2025-053.
Detection Methods for CVE-2025-24311
Indicators of Compromise
- Unexpected user-mode processes loading or interacting with the ControlVault host driver (BcmBipDLL.dll, wbdbase.dll) outside of normal authentication flows
- Repeated or malformed calls to ControlVault API endpoints from non-Dell or unsigned binaries
- ControlVault firmware fault events or unexpected service restarts of Broadcom USH Host Components
Detection Strategies
- Inventory endpoints to identify Dell systems running ControlVault3 firmware below 5.15.10.14 or ControlVault3 Plus below 6.2.26.36
- Monitor process creation events for non-standard processes opening handles to ControlVault device objects or DLLs
- Correlate Windows Biometric Service anomalies with userland process telemetry to identify unusual API consumers
Monitoring Recommendations
- Enable verbose logging on the Windows Biometric Framework and ControlVault host driver where supported
- Alert on userland binaries that import ControlVault SDK functions without a signed Dell parent process
- Track firmware version compliance through endpoint management tooling and flag rollback events
How to Mitigate CVE-2025-24311
Immediate Actions Required
- Update Dell ControlVault3 firmware to version 5.15.10.14 or later and ControlVault3 Plus to 6.2.26.36 or later as directed in DSA-2025-053
- Restrict local logon rights on affected systems to limit which accounts can call ControlVault APIs
- Audit installed software for unsigned or unexpected applications interacting with biometric and credential stacks
Patch Information
Dell has released fixed firmware versions through Dell Security Advisory DSA-2025-053. Administrators should deploy the updated ControlVault firmware packages via Dell Command Update, Dell SupportAssist, or enterprise patch management workflows. Firmware updates must be applied per device because the fix resides in the secure processor image, not the host operating system.
Workarounds
- Disable ControlVault-backed fingerprint and smart card login on affected systems until firmware is updated, where operationally feasible
- Block untrusted local users from interactive sessions and disable secondary logon services on shared workstations
- Use application control policies to allow only signed Dell and OS components to communicate with the ControlVault host driver
# Example: query Dell ControlVault firmware version on Windows via PowerShell
Get-PnpDevice -Class Biometric | Select-Object FriendlyName, Status, InstanceId
Get-WmiObject Win32_PnPSignedDriver | Where-Object { $_.DeviceName -like '*ControlVault*' } |
Select-Object DeviceName, DriverVersion, Manufacturer
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
