Cybersecurity Vulnerabilities

Dell ControlVault3 at Risk: Out-of-Bounds Vulnerability Exposes Systems (CVE-2025-36463)

November 18, 2025 - By 

Overview

A high-severity vulnerability, tracked as CVE-2025-36463, has been identified in the Broadcom Storage Adapter functionality within the Dell ControlVault3 and ControlVault3 Plus. Specifically, out-of-bounds read and write issues exist in the ControlVault WBDI Driver. Successful exploitation could lead to memory corruption and potentially a denial of service (DoS) condition. Dell has released patches to address this vulnerability.

Technical Details

The vulnerability resides within the WinBioControlUnit functionality of the Dell ControlVault3 and ControlVault3 Plus. The specific issue is triggered when a specially crafted WinBioControlUnit call is made to the StorageAdapter with the ControlCode WBIO_USH_ADD_RECORD (value 4). When SendBufferSize is greater than 0 and less than 104 bytes, a heap out-of-bounds read can occur past the end of the SendBuffer. This can lead to memory corruption due to out-of-bounds reads and writes.

Affected versions include:

  • Dell ControlVault3 prior to 5.15.14.19
  • Dell ControlVault3 Plus prior to 6.2.36.47

The Talos Intelligence report highlights that the constraints for triggering this vulnerability are significant, possibly limiting exploitability to denial-of-service scenarios.

CVSS Analysis

This vulnerability has been assigned a CVSS v3 score of 7.3 (High).

Possible Impact

While the constraints surrounding exploitation may limit the scope of the vulnerability, successful exploitation could lead to:

  • Memory Corruption: Out-of-bounds writes can corrupt sensitive data in memory, potentially leading to system instability.
  • Denial of Service (DoS): An attacker may be able to crash the affected service or the entire system, causing a denial of service for legitimate users.

Mitigation and Patch Steps

Dell has released updated versions of the ControlVault3 firmware to address this vulnerability. It is highly recommended that users of affected Dell systems upgrade to the following versions (or later) as soon as possible:

  • Dell ControlVault3: Upgrade to version 5.15.14.19 or later.
  • Dell ControlVault3 Plus: Upgrade to version 6.2.36.47 or later.

Firmware updates can typically be obtained through the Dell support website or Dell Update utility.

References

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *