AI description
CVE-2025-29970 is a use-after-free vulnerability in the Microsoft Brokering File System (BFS) driver, specifically affecting the bfs.sys component. The vulnerability stems from improper memory management in the deallocation logic of BFS's DirectoryBlockList, where the head of a linked list is deallocated prematurely while the function continues to access the freed memory in subsequent iterations. This occurs in the BfsCloseStorage function when policies are removed via the BfsProcessDeletePolicyRequest IOCTL call. An attacker with local access and appropriate tokens could exploit this vulnerability to escalate privileges on a Windows system. Exploitation requires the attacker to impersonate a process with an AppSilo token and create policy entries within the system. The vulnerability affects systems that use Windows sandbox features, particularly those that deploy isolated applications.
- Description
- Use after free in Microsoft Brokering File System allows an authorized attacker to elevate privileges locally.
- Source
- secure@microsoft.com
- NVD status
- Analyzed
- Products
- windows_11_24h2, windows_server_2022_23h2, windows_server_2025
CVSS 3.1
- Type
- Primary
- Base score
- 7.8
- Impact score
- 5.9
- Exploitability score
- 1.8
- Vector string
- CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Severity
- HIGH
- secure@microsoft.com
- CWE-416
- Hype score
- Not currently trending
🚨 Microsoft Patches BFS Driver Bug (CVE-2025-29970) Enabling Local Privilege Escalation Microsoft fixed a use-after-free in the Brokering File System driver (bfs.sys) where BfsCloseStorage can dereference freed memory while cleaning a multi-entry DirectoryBlockList, enabling a
@ThreatSynop
24 Dec 2025
2 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
برای درایور (BFS) یا همان Brokering File System در ویندوز ، آسیب پذیری با کد شناسایی CVE-2025-29970 و از نوع privilege escalation منتشر شده است. برای پیشگیری و مقابله به قسمت update ویندو
@AmirHossein_sec
24 Dec 2025
69 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
MicrosoftはWindowsのサンドボックス機能を支える内部ドライバーに存在する深刻な欠陥(CVE-2025-29970)を修正した。隔離環境から権限を昇格できる恐れがあり、企業システムの安全性に影響する問題として注目され
@yousukezan
22 Dec 2025
1755 Impressions
3 Retweets
16 Likes
1 Bookmark
0 Replies
0 Quotes
What better way to get into x'mas vibes than @flyingpassword dropping a BFS n-day (CVE-2025-29970) blog post! (Santa would approve :)) Merry X-mas! https://t.co/Skmuu5rsU1
@pixiepointsec
22 Dec 2025
6085 Impressions
11 Retweets
36 Likes
21 Bookmarks
1 Reply
2 Quotes
🔒 A new vulnerability (CVE-2025-29970) in the Microsoft File System lets attackers escalate their privileges like a game of musical chairs—only the chairs are your data! Time to patch up and secure those systems! #WindowsForum #CyberSecurity #PatchItUp https://t.co/fdoQQ3cJV
@windowsforum
14 May 2025
10 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-29970 Use after free in Microsoft Brokering File System allows an authorized attacker to elevate privileges locally. https://t.co/gpBCrlm7f4
@CVEnew
13 May 2025
5 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:arm64:*",
"vulnerable": true,
"matchCriteriaId": "4448191F-2152-4E7F-8D4A-4EE7ED6657D6",
"versionEndExcluding": "10.0.26100.4061"
},
{
"criteria": "cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:x64:*",
"vulnerable": true,
"matchCriteriaId": "7CE8E58A-59AA-4649-8C0F-0DB11A1D1936",
"versionEndExcluding": "10.0.26100.4061"
},
{
"criteria": "cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "2B9B2720-3733-4C50-85F7-156D781D15B8",
"versionEndExcluding": "10.0.25398.1611"
},
{
"criteria": "cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "DAE51E4F-FCFF-4DC0-9B76-861EE20D54A4",
"versionEndExcluding": "10.0.26100.4061"
}
],
"operator": "OR"
}
]
}
]