Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-64390

CVE-2025-64390: PlayStation 4 Privilege Escalation Flaw

CVE-2025-64390 is a privilege escalation vulnerability in PlayStation 4 firmware versions 13.00-13.02 affecting the BD-J sandbox. This post covers the technical details, affected versions, security impact, and mitigation.

Published:

CVE-2025-64390 Overview

CVE-2025-64390 is a privilege escalation vulnerability affecting Sony PlayStation 4 firmware versions 13.00 through 13.02. The flaw resides in the Blu-ray Disc Java (BD-J) sandbox, which enforces isolation for code executed from Blu-ray media. An attacker can escape this sandbox by supplying a malformed Java Archive (JAR) file. The underlying weakness is classified as [CWE-367], a Time-of-Check Time-of-Use (TOCTOU) race condition. Exploitation requires local access through Blu-ray media playback and does not require authentication or user interaction beyond loading the disc.

Critical Impact

A successful BD-J sandbox escape grants attacker-controlled code execution outside the Java isolation boundary on PlayStation 4 consoles running firmware 13.00 to 13.02.

Affected Products

  • Sony PlayStation 4 firmware version 13.00
  • Sony PlayStation 4 firmware version 13.01
  • Sony PlayStation 4 firmware version 13.02

Discovery Timeline

  • 2026-06-02 - CVE-2025-64390 published to NVD
  • 2026-06-03 - Last updated in NVD database

Technical Details for CVE-2025-64390

Vulnerability Analysis

The BD-J subsystem on PlayStation 4 executes Java applications embedded in Blu-ray discs inside a restricted sandbox. The sandbox is intended to prevent disc-provided code from interacting with privileged system resources. CVE-2025-64390 demonstrates that this isolation can be bypassed by a crafted JAR file that triggers inconsistent state handling during class loading or resource validation. The vulnerability is reachable from any disc the console attempts to play, making distribution through physical or virtualized Blu-ray media the primary delivery channel.

Root Cause

The root cause is a TOCTOU race condition [CWE-367] in the JAR processing path. The BD-J runtime validates archive contents at one point in time, then later uses those contents under the assumption they remain unchanged. A malformed JAR can produce divergent results between the check and the use, allowing attacker-supplied content to be loaded after the security check has passed. This bypasses the sandbox boundary that normally restricts BD-J applications from accessing privileged APIs.

Attack Vector

Attack delivery is local. An attacker authors a malicious BD-J title containing a malformed JAR and delivers it on Blu-ray media or through equivalent means accepted by the console. When the disc is inserted and the BD-J application launches, the malformed JAR is parsed by the sandboxed runtime. Successful exploitation yields code execution with the privileges of the BD-J host process, breaking out of the Java sandbox. The high attack complexity reflects the timing precision required to win the race window. Technical details are documented in HackerOne Security Report #3452696.

Detection Methods for CVE-2025-64390

Indicators of Compromise

  • Blu-ray titles containing BD-J applications with malformed JAR structures, including duplicate central directory entries or inconsistent manifest metadata.
  • Unexpected BD-J application crashes or restarts during disc playback on firmware 13.00 through 13.02.
  • Console behavior consistent with unauthorized code execution following Blu-ray insertion, such as unexpected network connections or system instability.

Detection Strategies

  • Inspect Blu-ray media images for JAR files whose declared archive metadata does not match parsed entry contents.
  • Validate JAR integrity using independent parsers and compare results against the embedded manifest to surface inconsistencies a TOCTOU exploit relies on.
  • Track firmware version distribution across managed PlayStation 4 fleets to identify devices remaining on vulnerable 13.00 to 13.02 builds.

Monitoring Recommendations

  • Monitor outbound network traffic from PlayStation 4 consoles for anomalous destinations after BD-J playback sessions.
  • Audit physical access to consoles in shared or production environments where untrusted Blu-ray media could be introduced.
  • Track Sony PlayStation security advisories for confirmation of patched firmware versions superseding 13.02.

How to Mitigate CVE-2025-64390

Immediate Actions Required

  • Update affected PlayStation 4 consoles to the latest firmware released after version 13.02 once Sony publishes a fix.
  • Avoid inserting untrusted Blu-ray discs into consoles running firmware 13.00, 13.01, or 13.02.
  • Disable or restrict BD-J playback where the platform allows it, particularly on consoles used for development or testing.

Patch Information

No vendor patch reference is published in the NVD record at the time of writing. Consult Sony PlayStation system software update notes for firmware versions following 13.02 and apply the update through the console's System Software Update menu. The referenced HackerOne Security Report #3452696 tracks the responsible disclosure.

Workarounds

  • Restrict Blu-ray disc usage on vulnerable consoles to verified, sealed retail media from trusted publishers.
  • Physically secure consoles to prevent unauthorized insertion of attacker-prepared Blu-ray discs.
  • Keep affected consoles disconnected from sensitive networks until firmware is updated past 13.02.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.