CVE-2025-51060
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk20th percentile - higher than 20% of all known CVEs
Summary
A vulnerability in CPUID cpuz.sys version 1.0.5.4 allows an attacker to use DeviceIoControl with unvalidated parameters to perform RDMSR and WRMSR operations. This enables modification of the MSR_LSTAR register and hooking of the KiSystemCall64 syscall, followed by ROP-based exploitation to disable the SMAP flag in CR4 and execute code in kernel context.
Risk Assessment
An attacker can gain full control over the operating system by executing arbitrary code in kernel context, leading to complete compromise of data confidentiality, integrity, and availability.
Recommendation
Immediately update the CPUID cpuz.sys driver to the latest version if available, or temporarily disable it. Additionally, enable the Core Isolation feature in Windows if possible.
Original NVD description (English source)
An issue was discovered in CPUID cpuz.sys 1.0.5.4. An attacker can use DeviceIoControl with the unvalidated parameters 0x9C402440 and 0x9C402444 as IoControlCodes to perform RDMSR and WRMSR, respectively. Through this process, the attacker can modify MSR_LSTAR and hook KiSystemCall64. Afterward, using Return-Oriented Programming (ROP), the attacker can manipulate the stack with pre-prepared gadgets, disable the SMAP flag in the CR4 register, and execute a user-mode syscall handler in the kernel context. It has not been confirmed whether this works on 32-bit Windows, but it functions on 64-bit Windows if the core isolation feature is either absent or disabled.

