New Windows 11 Flaw Slips In Through Old Patch

A Microsoft security update meant to fix an earlier vulnerability has accidentally introduced a serious new vulnerability in Windows 11 and Windows Server 2022. 

The issue, tracked as CVE-2025-53136, exposes kernel memory addresses in the latest 24H2 releases, potentially undermining a key Windows defense.

According to the Crowdfense researcher, this vulnerability, “…can be easily chained with other vulnerabilities to obtain a complete exploit on the latest version of the system.”

What is the issue?

The vulnerability affects Windows 11 (24H2) and Windows Server 2022 (24H2), giving low-privilege attackers — including sandboxed apps — a foothold to escalate attacks. 

By leaking kernel pointers, the flaw weakens Microsoft’s recent hardening measures against kernel exploitation. CVE-2025-53136 can be chained with other vulnerabilities to gain full Local Privilege Escalation (LPE). 

Researchers linked the flaw to changes in RtlSidHashInitialize() from Microsoft’s October 2024 CVE-2024-43511 patch, which now passes a kernel TOKEN.UserAndGroups pointer as its first parameter and a user buffer as the third.

During initialization, the function mistakenly writes that sensitive kernel pointer into the user buffer before replacing it with a benign value. Although the pointer is removed quickly, this leaves a small but exploitable window in which an attacker can capture it from user space.

Attack steps

To exploit this flaw, an attacker creates two concurrent threads. One repeatedly calls the NtQueryInformationToken() system call with the TokenAccessInformation class, which triggers the vulnerable code path. 

The other thread continuously reads from the user buffer at the exact offset where the kernel pointer is stored. By racing the read operation against the brief moment when the pointer is exposed, the hacker can reliably obtain the leaked address of the TOKEN’s UserAndGroups field.

Despite being a race condition, the exploit is highly dependable because the time window is wide enough to win consistently. Proof-of-concept demonstrations show the kernel address can be captured almost every run, even from low-privilege environments such as Low Integrity Level (Low IL) or AppContainer sandboxes. 

Once the attacker learns the leaked address, it becomes a powerful primitive. When combined with a write-what-where bug, the attacker can overwrite the Privileges field of the TOKEN structure and escalate to full local administrator rights.

Mitigation steps to take

Microsoft has not yet released an official patch, but organizations should prepare to deploy it as soon as it becomes available. In the meantime, security teams can:

• Control application execution: Restrict untrusted or unknown apps, harden sandbox environments (Low IL/AppContainer), and use tools like Windows Defender Application Control or AppLocker to block unauthorized code.
• Enforce least privilege and strong baselines: Limit user and service rights, ensure only trusted accounts hold SeDebugPrivilege, and maintain hardened security configurations.
• Strengthen detection and response: Enhance kernel-level monitoring (EDR/SIEM), watch for abnormal use of NtQueryInformationToken() or memory reads, and update playbooks for privilege-escalation scenarios.
• Isolate and test critical systems: Segment networks to protect high-value servers, and conduct regular vulnerability assessments and regression testing to verify defenses.

This case highlights a key cybersecurity challenge: patches can create new attack surfaces, necessitating a balance between quick fixes and thorough testing.

A right vulnerability scanner can help you spot the latest vulnerabilities before attackers do — explore some of the top tools here.