CVE-2025-70616
Published: 05 March 2026
Summary
CVE-2025-70616 is a high-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Dieboldnixdorf Wnbios64.Sys. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires bounds checking on user-controlled inputs like the Options parameter in the IOCTL handler to directly prevent the stack buffer overflow and associated information leakage.
Implements memory protections such as stack canaries, DEP, and ASLR to mitigate exploitation of the stack buffer overflow in the kernel driver even if input validation fails.
Mandates timely identification, reporting, and patching of flaws like the buffer overflow in wnBios64.sys to eliminate the vulnerability at its source.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel driver stack buffer overflow via crafted IOCTL directly enables exploitation for privilege escalation to kernel code execution.
NVD Description
A stack buffer overflow vulnerability exists in the Wincor Nixdorf wnBios64.sys kernel driver (version 1.2.0.0) in the IOCTL handler for code 0x80102058. The vulnerability is caused by missing bounds checking on the user-controlled Options parameter before copying data into a…
more
40-byte stack buffer (Src[40]) using memmove. An attacker with local access can exploit this vulnerability by sending a crafted IOCTL request with Options > 40, causing a stack buffer overflow that may lead to kernel code execution, local privilege escalation, or denial of service (system crash). Additionally, the same IOCTL handler can leak kernel addresses and other sensitive stack data when reading beyond the buffer boundaries.
Deeper analysisAI
CVE-2025-70616, published on 2026-03-05, is a stack buffer overflow vulnerability in the Wincor Nixdorf wnBios64.sys kernel driver, specifically version 1.2.0.0. The flaw occurs in the IOCTL handler for code 0x80102058 due to missing bounds checking on the user-controlled Options parameter before copying data into a fixed 40-byte stack buffer (Src[40]) via memmove. This vulnerability, classified under CWE-121 (Stack-based Buffer Overflow), carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An attacker with local access and low privileges can exploit the vulnerability by sending a crafted IOCTL request with an Options value greater than 40, triggering the stack buffer overflow. This may enable kernel code execution, local privilege escalation, or denial of service through a system crash. The same IOCTL handler also permits leakage of kernel addresses and other sensitive stack data when reading beyond the buffer boundaries.
Details on exploitation, including a proof-of-concept, are available in the GitHub repository at https://github.com/250wuyifan/wnBios64-CVE. No specific patch or mitigation guidance is detailed in the provided CVE information.
Details
- CWE(s)