CVE-2025-9338

Vulnerability

Overview

CVE-2025-9338 is a vulnerability in the AsIO3.sys driver, part of the ASUS Armoury Crate software. The issue is classified as an improper restriction of operations within the bounds of a memory buffer, which is a classic memory corruption bug. The root cause lies in how the driver handles certain operations, failing to properly validate memory boundaries when processing requests from user mode.

Exploitation

To exploit this vulnerability, an attacker must be able to execute a specially crafted process on the local system. No additional authentication is required beyond the ability to run code at a low-integrity level. The attacker can trigger the bug by sending a malicious IOCTL or similar request to the driver, causing a buffer overflow or other memory corruption. This can be achieved without any special privileges, making it a viable vector for privilege escalation from a standard user account.

Impact

Successful exploitation allows an attacker to execute arbitrary code in the context of the kernel, effectively gaining SYSTEM privileges. This means an attacker can take full control of the affected system, install programs, view, change, or delete data, and create new accounts with full user rights. The vulnerability is rated as High severity with a CVSS score reflecting the potential for complete compromise of confidentiality, integrity, and availability.

Mitigation

ASUS has released a security update for the Armoury Crate application to address this vulnerability. Users are strongly advised to update to the latest version of Armoury Crate, which includes a patched version of the AsIO3.sys driver. The advisory is available on the ASUS security advisory page [1]. No workarounds are documented; the only mitigation is to apply the vendor-supplied update.