CVE-2025-62215

HIGH KEV

Windows Kernel - Use-After-Free via Race Condition

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2025-62215 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 12, 2025. EIP tracks 8 public exploits from researchers including E1 Coders, dexterm300, abrewer251.

AI-analyzed exploit summary The code demonstrates a privilege escalation exploit for CVE-2025-62215, targeting a race condition in the Windows Kernel. It includes functions for process enumeration, kernel memory manipulation, and a simulated race condition attack to elevate privileges to SYSTEM.

Description

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Kernel allows an authorized attacker to elevate privileges locally.

Exploits (8)

exploitdb WORKING POC
by E1 Coders · textlocalwindows
https://www.exploit-db.com/exploits/52494

The code demonstrates a privilege escalation exploit for CVE-2025-62215, targeting a race condition in the Windows Kernel. It includes functions for process enumeration, kernel memory manipulation, and a simulated race condition attack to elevate privileges to SYSTEM.

Classification
Working Poc 85%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Windows Kernel (Windows 10, 11, 12)
Auth required
Prerequisites: Local access to the target system · Ability to execute arbitrary code · Knowledge of kernel memory offsets for the target Windows version
devstral-2 · analyzed May 07, 2026 Full analysis →
nomisec WORKING POC 26 stars
by dexterm300 · local
https://github.com/dexterm300/CVE-2025-62215-exploit-poc

This repository contains a proof-of-concept exploit for CVE-2025-62215, a Windows Kernel privilege escalation vulnerability involving a race condition and double-free memory corruption. The exploit includes advanced heap grooming and race condition triggering techniques to escalate local user privileges to SYSTEM.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Windows Kernel (Windows 10, Windows 11, Windows Server)
Auth required
Prerequisites: Local access to the target system · Visual Studio 2019 or later with Windows SDK · Administrator privileges for testing
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 5 stars
by abrewer251 · poc
https://github.com/abrewer251/CVE-2025-62215_Windows_Kernel_PE

This repository contains a proof-of-concept exploit for CVE-2025-62215, a Windows kernel race condition vulnerability leading to a double-free condition, which can be exploited for local privilege escalation to SYSTEM. The exploit uses multithreading to trigger the race condition and heap spraying to control memory layout.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Windows Kernel (Windows 10/11 x64)
Auth required
Prerequisites: Windows 10/11 (x64) · Administrator rights for full privilege escalation · MSVC compiler with Debug CRT
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 3 stars
by mrk336 · local
https://github.com/mrk336/Kernel-Chaos-Weaponizing-CVE-2025-62215-for-SYSTEM-Privilege-Escalation

CVE-2025-62215 is a Windows Kernel privilege escalation exploit leveraging a race condition in memory handling. The PoC demonstrates pool grooming via concurrent thread operations to corrupt kernel resources and achieve SYSTEM privileges.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Racy
Target: Windows Kernel (version not specified)
Auth required
Prerequisites: Local authenticated access · Ability to load kernel drivers
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC 2 stars
by adminlove520 · pythonpoc
https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2025/CVE-2025-62215

This repository contains a functional proof-of-concept exploit for CVE-2025-62215, a Windows kernel race condition vulnerability leading to a double-free and local privilege escalation to SYSTEM. The exploit uses multithreading to trigger the race condition, heap spraying for memory layout control, and includes privilege escalation detection.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Windows 10/11 (x64)
Auth required
Prerequisites: Windows 10/11 (x64) · MSVC compiler · Administrator rights · ntdll.dll
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC 1 stars
by theman001 · local
https://github.com/theman001/CVE-2025-62215

This repository contains a Windows kernel exploit for CVE-2025-62215, leveraging a race condition and double-free vulnerability to achieve local privilege escalation (LPE) to SYSTEM. It includes WinDbg scripts for dynamic offset extraction, shellcode generation, and a C++ exploit engine that uses pipe spraying to trigger the vulnerability.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Windows Kernel (Windows 10/11 x64, specific builds)
Auth required
Prerequisites: Local access to the target system · WinDbg with JavaScript API support · NASM for shellcode compilation · Visual Studio 2022 for building the exploit
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by gowonisgood · dos
https://github.com/gowonisgood/CVE-2025-62215-POC

The repository contains a functional proof-of-concept exploit for CVE-2025-62215, demonstrating a race condition vulnerability in Windows token handling via NtDuplicateToken. The exploit uses multiple threads to trigger the race condition, potentially leading to privilege escalation.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Racy
Target: Microsoft Windows (specific version not specified)
Auth required
Prerequisites: Access to a Windows system with the vulnerability · Ability to execute code on the target system
devstral-2 · analyzed Mar 02, 2026 Full analysis →
nomisec STUB
by uky007 · poc
https://github.com/uky007/CVE-2025-62215_analysis

This repository contains a skeleton PoC for CVE-2025-62215, a Windows Kernel Race Condition / Double-Free vulnerability leading to local privilege escalation. The exploit is incomplete and requires binary analysis to finalize the race condition trigger and double-free exploitation.

Classification
Stub 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Theoretical
Target: Windows Kernel (ntoskrnl.exe) on Windows 10, 11, Server 2019/2022/2025
Auth required
Prerequisites: Local access to a vulnerable Windows system · Binary analysis tools (IDA Pro, BinDiff) · Pre/post-patch ntoskrnl.exe binaries
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 7.0
EPSS 0.0610
EPSS Percentile 92.5%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2025-11-12
VulnCheck KEV 2025-11-11
ENISA EUVD EUVD-2025-93397
CWE
CWE-362 CWE-415
Status published
Products (10)
microsoft/windows_10_1809 < 10.0.17763.8027 (2 CPE variants)
microsoft/windows_10_21h2 < 10.0.19044.6575
microsoft/windows_10_22h2 < 10.0.19045.6575
microsoft/windows_11_23h2 < 10.0.22631.6199
microsoft/windows_11_24h2 < 10.0.26100.7092
microsoft/windows_11_25h2 < 10.0.26200.7092
microsoft/windows_server_2019 < 10.0.17763.8027
microsoft/windows_server_2022 < 10.0.20348.4346
microsoft/windows_server_2022_23h2 < 10.0.25398.1965
microsoft/windows_server_2025 < 10.0.26100.7092
Published Nov 11, 2025
KEV Added Nov 12, 2025
Tracked Since Feb 18, 2026