Overview
CVE-2025-36460 is a high-severity vulnerability affecting Dell ControlVault3 and ControlVault3 Plus. This vulnerability stems from out-of-bounds read and write issues within the Broadcom Storage Adapter functionality of the ControlVault WBDI Driver. Exploitation of this vulnerability can lead to memory corruption.
Technical Details
The vulnerability resides in Dell ControlVault3 prior to version 5.15.14.19 and Dell ControlVault3 Plus prior to version 6.2.36.47. A specially crafted WinBioControlUnit call can trigger this vulnerability. Specifically, the vulnerability is triggered when submitting a WinBioControlUnit call to the StorageAdapter with the ControlCode WBIO_USH_GET_IDENTITY (value 2) and a ReceiveBufferSize between 4 and 80 (exclusive) i.e. 4 <= ReceiveBuferSize < 80. This leads to an out-of-bound write of up to 75 bytes. These written bytes can be null-bytes or, under specific conditions (e.g., leveraging another vulnerability to control the identity data in the database), potentially attacker-controlled data.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) score for CVE-2025-36460 is 7.3, indicating a High severity. This score reflects the potential for significant impact due to memory corruption.
Possible Impact
Successful exploitation of CVE-2025-36460 can lead to:
- Memory corruption
- Potential for arbitrary code execution (if attacker-controlled data can be written)
- System instability
- Denial-of-service
Mitigation and Patch Steps
To mitigate this vulnerability, Dell recommends updating to the following versions or later:
- Dell ControlVault3: Version 5.15.14.19
- Dell ControlVault3 Plus: Version 6.2.36.47
Users should download and install the latest updates from the Dell support website. It is crucial to apply these updates as soon as possible to protect systems from potential exploitation.
