Analysis Summary

A new Windows kernel information-disclosure flaw, CVE-2025-53136, has been uncovered in Windows 11 (24H2) and Windows Server 2022 (24H2). Ironically, the bug was introduced by Microsoft’s October 2024 patch for CVE-2024-43511, a TOCTOU race condition. In the process of fixing that issue, developers modified the RtlSidHashInitialize() function, which now briefly writes a sensitive kernel pointer from the TOKEN structure into a user-supplied buffer. This creates a small but exploitable time window that attackers can abuse to retrieve kernel addresses effectively undermining Microsoft’s recent hardening measures against such leaks.

Exploitation is achieved by leveraging the NtQueryInformationToken() system call with the TokenAccessInformation class. While one thread makes this call, another thread can read the buffer during the brief interval where the kernel pointer is exposed. Despite being a race condition, the timing window is wide enough to make the exploit highly reliable, as demonstrated by proof-of-concept tests. Researcher, who analyzed the flaw, reported that attackers can successfully capture the leaked pointer almost every time the exploit is run.

The implications are serious because the vulnerability can be triggered from low-privilege contexts, including sandboxed AppContainer environments. While the flaw itself only leaks information, it provides attackers with a crucial building block. Once kernel pointers are known, other vulnerabilities, such as a “write-what-where” condition, can be chained with this leak to escalate privileges. In such a scenario, attackers could manipulate the TOKEN object for instance, by overwriting its Privileges field to achieve full local privilege escalation on fully patched systems.

The flaw was responsibly disclosed beginning on April 8, 2025, though Microsoft initially dismissed the report as a duplicate. After review, the company acknowledged the issue on April 25 and later assigned it CVE-2025-53136 in August. This discovery highlights the recurring challenge in security patching: fixing one vulnerability can unintentionally create another. Until Microsoft releases a formal patch, administrators are advised to remain cautious, limit exposure of untrusted local code execution, and monitor for security advisories addressing this critical kernel leak.

Impact

• Gain Access

Indicators of Compromise

CVE

• CVE-2025-53136

• CVE-2024-43511

Affected Vendors

Remediation

• Apply patches immediately once Microsoft issues an official security update addressing this vulnerability.
• Restrict untrusted code execution by minimizing the ability of low-privilege or sandboxed processes (e.g., AppContainers) to run on sensitive systems.
• Harden privilege boundaries by limiting access to processes or services that handle sensitive tokens, reducing opportunities for exploitation.
• Monitor system activity for suspicious use of NtQueryInformationToken() or unusual race-condition exploitation attempts.
• Use defense-in-depth measures such as endpoint detection and response (EDR) tools to spot exploit behavior rather than relying solely on patch availability.
• Limit attack surface by running only essential applications and services, thereby reducing potential avenues for chaining this leak with a memory corruption bug.