CVE-2025-65264 Overview
A vulnerability has been identified in the kernel driver of CPUID CPU-Z v2.17 and earlier versions. The driver fails to properly validate user-supplied values passed through its IOCTL interface, enabling local attackers to access sensitive information via specially crafted requests. This input validation flaw allows unprivileged users to potentially read privileged kernel memory or other sensitive system information.
Critical Impact
Local attackers with low privileges can exploit insufficient IOCTL input validation to access sensitive kernel memory and confidential system information.
Affected Products
- CPUID CPU-Z v2.17
- CPUID CPU-Z versions prior to v2.17
- CPU-Z kernel driver (cpuz.sys)
Discovery Timeline
- 2026-01-27 - CVE CVE-2025-65264 published to NVD
- 2026-01-29 - Last updated in NVD database
Technical Details for CVE-2025-65264
Vulnerability Analysis
This vulnerability stems from improper input validation (CWE-20) in the CPU-Z kernel driver's IOCTL handler. When processing requests from user-mode applications, the driver accepts parameters without adequate validation of buffer sizes, addresses, or content. This oversight allows a local attacker to craft malicious IOCTL requests that can bypass intended security boundaries and read sensitive information from kernel space.
The CPU-Z utility is widely used for hardware identification and system monitoring. Its kernel driver requires elevated privileges to access hardware information directly, making it a prime target for local privilege escalation and information disclosure attacks. The vulnerability requires local access to the target system but does not require administrator privileges to exploit.
Root Cause
The root cause of this vulnerability is insufficient validation of user-controlled input parameters in the CPU-Z kernel driver's IOCTL dispatch routines. When the driver receives an IOCTL request, it fails to properly verify:
- Buffer length parameters against actual allocated sizes
- Memory addresses to ensure they reside in valid user-mode address space
- Input data bounds before performing memory operations
This improper input validation allows attackers to specify arbitrary memory addresses or manipulated buffer sizes, resulting in information disclosure from kernel memory regions.
Attack Vector
The attack requires local access to a system with the vulnerable CPU-Z driver installed. An attacker would:
- Obtain a handle to the CPU-Z device driver
- Construct a malicious IOCTL request with crafted parameters
- Send the request through the Windows DeviceIoControl API
- Receive and parse the response containing leaked kernel memory data
The vulnerability is exploited through the local attack vector, requiring low privileges and no user interaction. The impact is limited to confidentiality, with high potential for sensitive information disclosure. Technical details and proof-of-concept materials are available at the GitHub PoC Repository.
Detection Methods for CVE-2025-65264
Indicators of Compromise
- Unusual IOCTL calls to the CPU-Z driver (cpuz.sys) from non-standard processes
- Unexpected processes accessing the CPU-Z device object
- Presence of exploitation tools or scripts targeting CPU-Z driver vulnerabilities
- Suspicious memory access patterns or information extraction attempts from processes interacting with the driver
Detection Strategies
- Monitor for processes making DeviceIoControl calls to the CPU-Z driver outside of normal CPU-Z.exe operations
- Implement driver-level auditing to log IOCTL requests with unusual parameters or high frequency
- Use endpoint detection solutions to identify known exploitation patterns targeting kernel drivers
- Alert on any processes attempting to open handles to \\.\cpuz device objects without corresponding CPU-Z application execution
Monitoring Recommendations
- Enable Windows ETW (Event Tracing for Windows) to capture driver interaction events
- Configure SentinelOne Singularity to detect and block kernel driver exploitation attempts
- Implement application allowlisting to restrict which processes can interact with the CPU-Z driver
- Monitor for installation or loading of outdated CPU-Z driver versions
How to Mitigate CVE-2025-65264
Immediate Actions Required
- Update CPUID CPU-Z to the latest version beyond v2.17 if a patched version is available from the vendor
- Uninstall CPU-Z from systems where it is not required for business operations
- Restrict local user access to systems running vulnerable CPU-Z installations
- Implement application control policies to prevent unauthorized use of CPU-Z
Patch Information
Affected users should check the official CPUID Software Overview page for updated versions that address this vulnerability. If no patch is currently available, consider implementing the workarounds below until the vendor releases a security update.
Workarounds
- Remove the vulnerable cpuz.sys driver from the system if CPU-Z functionality is not required
- Use driver blocklisting via Windows Defender Application Control (WDAC) to prevent the vulnerable driver from loading
- Restrict local user accounts and apply principle of least privilege to limit potential attackers' access
- Deploy SentinelOne Singularity endpoint protection to detect and prevent exploitation attempts against kernel drivers
For systems requiring CPU-Z functionality, consider using alternative hardware monitoring tools until a patched version is available. System administrators can also implement kernel driver integrity monitoring to detect any exploitation attempts.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
