CVE-2025-65264 Overview
CVE-2025-65264 is an information disclosure vulnerability in the kernel driver shipped with CPUID CPU-Z version 2.17 and earlier on Windows. The driver fails to validate user-supplied values passed through its IOCTL (Input/Output Control) interface. A local attacker with low privileges can craft IOCTL requests to read sensitive kernel memory contents. The flaw is tracked under CWE-20: Improper Input Validation.
Critical Impact
A local, low-privileged attacker can disclose sensitive kernel-mode information through crafted IOCTL requests to the CPU-Z driver, enabling reconnaissance for follow-on privilege escalation.
Affected Products
- CPUID CPU-Z for Windows, version 2.17
- CPUID CPU-Z for Windows, all earlier 2.x versions
- The bundled cpuz kernel driver component
Discovery Timeline
- 2026-01-27 - CVE-2025-65264 published to NVD
- 2026-02-06 - Last updated in NVD database
Technical Details for CVE-2025-65264
Vulnerability Analysis
The CPU-Z kernel driver exposes an IOCTL interface that user-mode processes can call to query hardware information. The driver accepts parameters from user space without validating their content or bounds. An attacker opens a handle to the driver device object and issues a crafted DeviceIoControl request. The driver then reads memory addresses dictated by attacker-supplied input and returns the contents to the caller.
Because the driver runs in kernel context, the returned data can include kernel pointers, structure contents, and other privileged information. This breaks the user/kernel trust boundary that Windows enforces. The flaw is limited to confidentiality, with no direct write primitive disclosed in the advisory.
Root Cause
The root cause is improper input validation [CWE-20] in the driver's IOCTL dispatch routine. Parameters that should be checked against expected ranges, alignment, and permitted address spaces are passed directly to internal read routines. The driver does not verify that user-supplied addresses or indices fall within a safe range before dereferencing them.
Attack Vector
Exploitation requires local access and an authenticated session on the target Windows host. The attacker must hold permissions sufficient to open the driver's device interface, which is typically accessible to standard users once CPU-Z has been run. No user interaction is required beyond running the attacker's binary. Remote exploitation is not possible because the IOCTL surface is not network-exposed.
A proof-of-concept demonstrating the issue is published in the CVE-2025-65264 PoC repository. Refer to the CPUID CPU-Z product page for vendor information.
Detection Methods for CVE-2025-65264
Indicators of Compromise
- Presence of the vulnerable cpuz kernel driver file on disk with a version corresponding to CPU-Z 2.17 or earlier.
- Unexpected processes opening handles to the CPU-Z device object outside of the legitimate cpuz.exe user interface.
- DeviceIoControl calls to the CPU-Z driver originating from non-standard locations such as user temp directories.
Detection Strategies
- Inventory installed drivers across the fleet and flag hosts running CPU-Z 2.17 or older.
- Hunt for non-CPU-Z processes issuing IOCTLs to the CPU-Z device, which suggests driver abuse.
- Correlate driver load events (Windows Event ID 7045 and Sysmon Event ID 6) with process telemetry to identify unauthorized loading of the CPU-Z driver as a Bring-Your-Own-Vulnerable-Driver (BYOVD) primitive.
Monitoring Recommendations
- Enable kernel driver load auditing and forward events to a central SIEM for analysis.
- Monitor for handle creation against \\.\cpuz* device paths from unsigned or unexpected binaries.
- Track installation of CPU-Z outside of approved software deployment channels and on systems where hardware diagnostics are not required.
How to Mitigate CVE-2025-65264
Immediate Actions Required
- Identify all endpoints running CPU-Z 2.17 or earlier and prioritize them for remediation.
- Remove CPU-Z from systems where hardware diagnostics are not an operational requirement.
- Restrict standard-user execution of CPU-Z through application control policies until a fixed version is deployed.
Patch Information
At the time of publication, the NVD entry for CVE-2025-65264 does not list a vendor advisory or fixed release. Administrators should monitor the CPUID CPU-Z download page for a version higher than 2.17 that addresses the IOCTL validation flaw. Apply the updated build to all affected hosts once available and verify the on-disk driver version after installation.
Workarounds
- Uninstall CPU-Z on systems that do not require it and remove the residual cpuz driver from %SystemRoot%\System32\drivers\.
- Block load of the vulnerable driver using Microsoft's recommended driver blocklist or Windows Defender Application Control (WDAC) policies.
- Limit local logon rights and enforce least privilege so that untrusted users cannot execute arbitrary binaries that load the driver.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
