CVE-2025-62215

What is the Windows Kernel Pool?

The Windows kernel uses pool memory — a shared kernel-mode heap — to allocate and manage memory for kernel objects, data structures, and driver-allocated buffers. The kernel pool is divided into paged pool (can be swapped to disk) and non-paged pool (always in physical memory). Because the pool is shared across all kernel components and accessed by multiple concurrent threads, improper synchronization during pool operations can cause race conditions and memory corruption vulnerabilities that attackers exploit for privilege escalation.

Overview

CVE-2025-62215 is a race condition vulnerability (CWE-362) in the Windows kernel that enables a local attacker with low privileges to escalate to SYSTEM level. The race involves a concurrent double-free condition in shared kernel resource pools. Microsoft disclosed this as a zero-day in the November 2025 Patch Tuesday, with CISA adding it to the KEV catalog the following day. The High attack complexity (AC:H) reflects the timing precision required to win the race window, but a reliable exploit was confirmed in the wild before the patch was released.

Affected Versions

Technical Details

The race condition (CWE-362) involves a concurrent double-free in the Windows kernel's resource pool management. Two execution threads simultaneously access a shared kernel object without proper mutual exclusion:

• Thread A is freeing a kernel pool allocation and updating internal bookkeeping structures
• Thread B (controlled by the attacker) triggers a concurrent access to the same pool region before Thread A's free operation completes

This timing-sensitive race allows an attacker to cause a pool object to be freed twice (double-free). An attacker then uses heap grooming techniques — carefully controlling the allocation patterns of other kernel objects — to place attacker-controlled data at the freed memory address. When the stale pointer is subsequently dereferenced, it processes the attacker's data, typically enabling overwriting of process security tokens to gain SYSTEM privileges.

The High attack complexity (AC:H) reflects the timing precision needed: the attacker must win a race window that may be only microseconds wide, requiring either a reliable timing technique or repeated attempts.

Discovery

Microsoft MSTIC and internal telemetry identified zero-day exploitation before November 2025 Patch Tuesday. Specific reporter attribution not publicly disclosed. Public PoC code appeared on GitHub after the patch.

Exploitation Context

Confirmed zero-day exploitation before November 11, 2025. CISA added to the KEV catalog November 12. Local privilege escalation vulnerabilities in the Windows kernel are standard components of advanced attack chains — used to escalate from the initial foothold (phishing, malware, compromised credentials) to full system control. No specific threat actor was named.

Remediation

1. Apply the November 2025 cumulative update for your Windows version immediately. The CISA deadline was December 3, 2025.
2. No workarounds available — the only mitigation is the patch; disabling kernel pool features is not a supported option.
3. Prioritize multi-user systems and RDP-accessible servers — these have a higher probability of hosting low-privilege attacker sessions.
4. Enable Windows Defender Exploit Guard settings including CFG (Control Flow Guard) and arbitrary code guard where supported.
5. Monitor for signs of exploitation: look for processes spawning with unexpected SYSTEM privileges (Event ID 4688 with high integrity level) from user-context parent processes.