CVE-2025-62215 — NT Kernel Race / Double-Free LPE (ITW)

Last updated: 2026-04-28 Component: Windows kernel (ntoskrnl.exe) Bug Class: Race condition → double-free in shared kernel resource handling Patch: November 11, 2025 Patch Tuesday (also out-of-band update for Win10 non-ESU) Exploited ITW: Yes — disclosed as actively-exploited zero-day Discoverer: Microsoft Threat Intelligence (per advisory) CVSS: 7.0 Related: Race Conditions, Pool Internals, CVE-2025-29824 Tags: race-condition, double-free, ntoskrnl, kernel-mode, lpe, itw, zero-day

Summary

An unsynchronized concurrent access to a shared kernel resource lets a low-privileged caller race two threads through the same allocator path until the kernel frees the same block twice. The double-free corrupts paged-pool metadata, which the attacker steers into a write primitive and ultimately SYSTEM.

Disclosed as exploited in the wild during Microsoft’s November 2025 Patch Tuesday. Trend ZDI’s Dustin Childs noted the pairing pattern: bugs of this class “are often paired with a code execution bug by malware to completely take over a system” — i.e., this is the post-RCE kernel step in modern multi-stage chains.

Root cause

Per Microsoft’s advisory and tracker write-ups: multiple threads touch the same kernel resource without proper synchronization, and the kernel ends up freeing the same allocation twice. The exact resource and code path haven’t been published; the exploitation primitive is double-free of paged-pool metadata.

The fact that all currently-supported Windows editions are affected — including Windows 10 ESU, prompting an unusual out-of-band release for non-ESU consumer Windows 10 — suggests the bug lives in long-stable code, not a recent kernel feature.

Exploitation (expected pattern)

Double-frees in paged pool typically pivot into write-what-where via:

1. Race the kernel into freeing the same allocation twice.
2. Reclaim one of the two free slots with a controllable object (e.g. another paged-pool allocation of the same size class).
3. The kernel’s freelist now contains a freed-but-still-live pointer; subsequent writes to that pointer corrupt the controllable object.
4. Promote to AAR/AAW via the standard IORING / WNF cross-allocation playbook.
5. Token steal.

ITW samples are not yet public.

Affected versions

Windows 10 (incl. ESU), Windows 11 (all supported), Windows Server 2008/2012/2016/2019/2022/2025.

Detection

Microsoft and external trackers note that this CVE is being exploited post-compromise — phishing / RCE / sandbox-escape arrives first, then the kernel LPE. Detection telemetry that focuses on LPE only is too late; pair with upstream EDR coverage.

References

• Help Net Security — Patch Tuesday: Microsoft fixes actively exploited Windows kernel vulnerability (CVE-2025-62215) — https://www.helpnetsecurity.com/2025/11/12/patch-tuesday-microsoft-cve-2025-62215/
• SOC Prime — CVE-2025-62215: Microsoft Patches Windows Kernel Zero-Day Vulnerability Under Active Exploitation — https://socprime.com/blog/latest-threats/cve-2025-62215-windows-kernel-vulnerability/
• The Hacker News — Microsoft Fixes 63 Security Flaws, Including a Windows Kernel Zero-Day Under Active Attack
• BleepingComputer — All Windows versions impacted by new LPE zero-day vulnerability
• CrowdStrike — November 2025 Patch Tuesday: Updates and Analysis
• NVD — CVE-2025-62215
• Microsoft MSRC — CVE-2025-62215 advisory
• abrewer251 — CVE-2025-62215_Windows_Kernel_PE (proof-of-concept) — https://github.com/abrewer251/CVE-2025-62215_Windows_Kernel_PE