CVE-2018-3989
Description
An exploitable kernel memory disclosure vulnerability exists in the 0x8200E804 IOCTL handler functionality of WIBU-SYSTEMS WibuKey.sys Version 6.40 (Build 2400).A specially crafted IRP request can cause the driver to return uninitialized memory, resulting in kernel memory disclosure. An attacker can send an IRP request to trigger this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A kernel memory disclosure vulnerability in WibuKey.sys IOCTL handler 0x8200E804 allows unprivileged users to leak kernel memory via crafted IRP requests.
Vulnerability
The vulnerability exists in the 0x8200E804 IOCTL handler of WibuKey.sys version 6.40 (Build 2400). The driver returns uninitialized memory in response to a specially crafted IRP request, leading to kernel memory disclosure. The affected driver is part of the WibuKey Runtime for Windows package. The device \Device\WibuKey has default access controls allowing any user to send IOCTL requests (RW Everyone) [1].
Exploitation
An attacker can send a crafted IRP request to the WibuKey device via the 0x8200E804 IOCTL code. No authentication or special privileges are required beyond local access to the system. The attacker must be able to interact with the device, which is accessible to all users. The vulnerability is triggered by the IOCTL handler function sub_A08360F0 which does not properly initialize memory before copying it to the output buffer [1].
Impact
Successful exploitation results in disclosure of kernel memory, potentially leaking sensitive information such as cryptographic keys, passwords, or other kernel data. The CVSSv3 score is 4.3 (AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N), indicating low confidentiality impact with no integrity or availability impact. The scope is changed because the leaked memory may contain data from other security contexts [1].
Mitigation
As of the advisory publication (TALOS-2018-0657), no fix was available. Users should monitor WIBU-SYSTEMS for a patched version of the driver. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. Workarounds include restricting access to the device by modifying ACLs or disabling the driver if not needed [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The driver returns uninitialized kernel memory to user space because the allocated output buffer is never zeroed and the copy size is controlled by user-supplied input."
Attack vector
An attacker sends a crafted IOCTL request to the WibuKey device (\Device\WibuKey), which by default has "RW Everyone" access, so any local user can send such requests [ref_id=1]. The attacker controls the `someSize` field in the input buffer, which is written into the output buffer at offset 2. The driver then copies `someSize` bytes from the uninitialized allocated buffer back to the user, leaking kernel memory [CWE-200] [ref_id=1].
Affected code
The vulnerability resides in the IOCTL handler for control code 0x8200E804 in WibuKey.sys (version 6.40, Build 2400). The function `sub_A08360F0` writes user-controlled data into an allocated buffer without initializing the buffer first, and the caller `sub_A0835C60` copies `v9` bytes (derived from user input) from that buffer back to the user [ref_id=1].
What the fix does
The advisory notes a vendor patch was released on 2018-12-19, but the specific patch diff is not included in the bundle [ref_id=1]. The remediation would need to zero-initialize the allocated buffer before use, or limit the copy size to only the bytes that were actually written by the handler, preventing uninitialized kernel memory from being returned to user space [ref_id=1].
Preconditions
- authAttacker must be able to open a handle to \Device\WibuKey (default permissions allow 'Everyone' with RW access)
- inputAttacker must send a DeviceIoControl call with IOCTL code 0x8200E804
- networkAttacker must be local to the Windows system
Reproduction
The bundle includes a Python PoC in the reference write-up [ref_id=1]. The script opens a handle to `\\.\WibuKey`, constructs an input buffer with `someSize` set to `0x2e12` and `unsigned6` set to 35, then calls `DeviceIoControl` with IOCTL `0x8200E804` and an output buffer length of `0x2e12`. The returned buffer contains uninitialized kernel memory, visible in the hex dump output [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- www.securityfocus.com/bid/107005mitrevdb-entryx_refsource_BID
- cert-portal.siemens.com/productcert/pdf/ssa-760124.pdfmitrex_refsource_CONFIRM
- cert-portal.siemens.com/productcert/pdf/ssa-844562.pdfmitrex_refsource_CONFIRM
- cert-portal.siemens.com/productcert/pdf/ssa-902727.pdfmitrex_refsource_CONFIRM
- talosintelligence.com/vulnerability_reports/TALOS-2018-0657mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.