CVE-2025-70616

A stack buffer overflow vulnerability exists in the Wincor Nixdorf wnBios64.sys kernel driver (version 1.2.0.0) in the IOCTL handler for code 0x80102058. The vulnerability is caused by missing bounds checking on the user-controlled Options parameter before copying data into a 40-byte stack buffer (Src[40]) using memmove. An attacker with local access can exploit this vulnerability by sending a crafted IOCTL request with Options > 40, causing a stack buffer overflow that may lead to kernel code execution, local privilege escalation, or denial of service (system crash). Additionally, the same IOCTL handler can leak kernel addresses and other sensitive stack data when reading beyond the buffer boundaries.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/250wuyifan/wnBios64-CVE	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:dieboldnixdorf:wnbios64.sys:1.2.0.0:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-05 19:16

Updated : 2026-03-10 19:41

NVD link : CVE-2025-70616

Mitre link : CVE-2025-70616

CVE.ORG link : CVE-2025-70616

JSON object : View

Products Affected

dieboldnixdorf

wnbios64.sys

CWE

CWE-121

Stack-based Buffer Overflow

{"id": "CVE-2025-70616", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2026-03-05T19:16:02.010", "references": [{"url": "https://github.com/250wuyifan/wnBios64-CVE", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-121"}]}], "descriptions": [{"lang": "en", "value": "A stack buffer overflow vulnerability exists in the Wincor Nixdorf wnBios64.sys kernel driver (version 1.2.0.0) in the IOCTL handler for code 0x80102058. The vulnerability is caused by missing bounds checking on the user-controlled Options parameter before copying data into a 40-byte stack buffer (Src[40]) using memmove. An attacker with local access can exploit this vulnerability by sending a crafted IOCTL request with Options > 40, causing a stack buffer overflow that may lead to kernel code execution, local privilege escalation, or denial of service (system crash). Additionally, the same IOCTL handler can leak kernel addresses and other sensitive stack data when reading beyond the buffer boundaries."}, {"lang": "es", "value": "Existe una vulnerabilidad de desbordamiento de b\u00fafer de pila en el controlador del kernel Wincor Nixdorf wnBios64.sys (versi\u00f3n 1.2.0.0) en el gestor IOCTL para el c\u00f3digo 0x80102058. La vulnerabilidad es causada por la falta de comprobaci\u00f3n de l\u00edmites en el par\u00e1metro Options controlado por el usuario antes de copiar datos en un b\u00fafer de pila de 40 bytes (Src[40]) usando memmove. Un atacante con acceso local puede explotar esta vulnerabilidad enviando una solicitud IOCTL manipulada con Options > 40, causando un desbordamiento de b\u00fafer de pila que puede conducir a la ejecuci\u00f3n de c\u00f3digo del kernel, escalada de privilegios local o denegaci\u00f3n de servicio (ca\u00edda del sistema). Adem\u00e1s, el mismo gestor IOCTL puede filtrar direcciones del kernel y otros datos sensibles de la pila al leer m\u00e1s all\u00e1 de los l\u00edmites del b\u00fafer."}], "lastModified": "2026-03-10T19:41:39.053", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:dieboldnixdorf:wnbios64.sys:1.2.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EA6D0C47-69D0-4943-8E01-3954C50C3215"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}