Frame by Frame, Kernel Streaming Keeps Giving Vulnerabilities
Angelboy
OffensiveCon 2025 · Day 1 · Main
Angelboy of DEVCORE uncovered more than 20 vulnerabilities in Windows Kernel Streaming (KS), concentrated in the AVStream subsystem used by webcams and video devices. By abusing a logic inversion in how the 32-bit compatibility shim (KsThunk) and the core KS library handle MDL (Memory Descriptor List) cache flags, an attacker can corrupt kernel memory through mismatched frame-buffer mappings. The research culminates in a novel MDL-spray technique that achieves arbitrary physical memory writes and full kernel-level code execution on Windows 11 24H2. ---
AI review
Angelboy found 20+ bugs in Windows Kernel Streaming with 14 in AVStream's frame-handling path, then built a novel MDL-spray technique that achieves arbitrary physical memory writes and full kernel code execution on a patched Windows 11 24H2. The MDL mismatch bug class — born from a flag inversion between KsThunk and ks.sys — is a structurally new primitive. This is the real thing.