CVE-2018-15731

Vulnerability

The vulnerability resides in the kernel driver szkg64.sys of STOPzilla AntiMalware version 6.5.2.59. The driver does not validate the output buffer address supplied by a user-mode caller for the IOCTL 0x8000205B. This allows a local attacker to trigger a denial of service by providing an invalid or unmapped output buffer address, leading to a system crash (BSOD) [2].

Exploitation

An attacker must have local access to the system and the ability to open a handle to the device associated with the driver. By sending an IOCTL request with code 0x8000205B and a crafted output buffer address that points to an invalid memory region, the driver will attempt to write to that address, causing a kernel-mode access violation and immediate system crash [2]. No authentication or special privileges beyond user-level access are required.

Impact

Successful exploitation results in a denial of service (DoS) by crashing the Windows kernel, forcing a system reboot. The vulnerability does not allow code execution or privilege escalation; it only causes a system crash [2].

Mitigation

As of the publication date (2019-06-21), the vendor STOPzilla had not responded to the disclosure, and no patch or fixed version was available [2]. Users should consider removing or replacing STOPzilla AntiMalware with an actively maintained security product. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.