CVE-2025-54093 – From Diff to Defense in tcpip.sys

Patch Tuesday introduced a subtle yet crucial security enhancement in Windows TCP/IP for CVE-2025-54093. I compared the versions of tcpip.sys before and after the update, focusing on the ESP (IPsec) outbound initialization process. The modification clearly addresses a TOCTOU vulnerability by preventing the use of raw pointers across a changing pipeline.

What changed after CVE-2025-54093

In the pre-patch build, the routine that preps ESP traffic handed a raw buffer pointer down to the confidentiality initializer. In complex send paths (think segmentation offload, MDL re-packing), that pointer could become stale before it was used.

The patched build:

• Treats the same location as a DWORD-aligned view (no more byte-wise aliasing).
• Passes a bounded 32-bit value into the initializer (consistent with an offset/descriptor, not a borrowed pointer).
• Keeps the logic for ESP, IV generation, and offload—but forces address resolution late against the current buffer state.

Translation: replace “trust this old pointer” with “recompute safely from a stable base + offset.” That’s classic TOCTOU hardening.

Why it matters

When offload is enabled, the memory backing a packet can shift between “prepare” and “use.” Writing via a cached pointer risks scribbling into freed/adjacent memory in kernel context. That’s how a local bug becomes a local elevation of privilege. The fix preserves performance features (ESP, offload) while removing the stale-pointer lane.

How an Attacker Could Potentially Escalate Privileges using CVE-2025-54093

• Preconditions: The system must be configured to use IPsec ESP (common in enterprise/domain networks, VPNs, or DirectAccess scenarios). The attacker needs local code execution with low privileges.
• Attack path:
  1. The attacker triggers or controls outbound ESP traffic from their low-privilege context (e.g., by sending traffic that matches an IPsec rule).
  2. They carefully generate workloads that force segmentation/offload behavior, causing packet buffers to be re-mapped after the pointer was captured.
  3. When the stale pointer is dereferenced, writes intended for IVs or cryptographic material land in unintended kernel memory regions.
  4. With crafted traffic and timing, this could corrupt kernel data structures or control flow, leading to privilege escalation (SYSTEM-level execution).
• Key point: The attacker doesn’t need kernel privileges to begin with; they abuse regular networking activity to coerce the kernel into misusing memory.

Takeaways for teams

• Kernel safety ≠ removing features. You can keep offload and still fix TOCTOU by changing how you pass state.
• Design pattern to remember: pass offsets/tokens, not borrowed pointers, across phases that can reorder/reshape buffers.
• Defender tip: prioritize patch validation on endpoints that actually run IPsec/ESP; that’s where the risk concentrates.

If you’re building high-performance network code, this is a good reminder: concurrency and offload are great tools until an address exists longer than the memory model that created it.