Talos Vulnerability Report

TALOS-2026-2443

Microsoft Windows NETIO.sys NsipGetAllInformationProviderParameters Information Disclosure Vulnerability

July 15, 2026

CVE Number

CVE-2026-50475

Summary

An out-of-bounds pointer offset vulnerability exists in the NsipGetAllInformationProviderParameters function of the Microsoft Windows NETIO.sys driver. A specially crafted I/O request packet (IRP) can cause disclosure of sensitive information.

Confirmed Vulnerable Versions

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

NETIO.sys (version(s): 10.0.26100.8457)

Product URLs

NETIO.sys - https://www.microsoft.com/

CVSSv3 Score

5.5 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-823 - Use of Out-of-range Pointer Offset

Details

Windows NETIO.sys (Network I/O Subsystem) is a core kernel-mode networking driver that acts as the primary infrastructure layer and engine framework for the Windows network stack. Rather than implementing specific protocol logic itself (like TCP or UDP), NETIO.sys provides the underlying memory management, state tracking, and interface abstractions—such as the Network Module Registrar (NMR) and the Network Store Interface (NSI)—that bind protocol drivers like tcpip.sys to lower-level components. It works closely with nsiproxy.sys, NDIS, Windows Filtering Platform (WFP), and TDI filters to orchestrate, route, and dispatch IOCTL configuration parameters, interface states, and packet buffers seamlessly across the entire network architecture.

When a specially crafted IRP request is sent to the handler for the 0x120007 IOCTL, it invokes the NsipGetAllInformationProviderParameters function.

``` fffff80732f43960 uint64_t NsipGetAllInformationProviderParameters(void* arg1)

fffff80732f43960 { fffff80732f43960 int32_t* arg_10 = nullptr; fffff80732f43973 int32_t* arg_18 = nullptr; fffff80732f43978 uint128_t* keyBuffer = (uint64_t)((char)arg1 + 0x10); //<———- (1) fffff80732f4397c int32_t route = *(uint32_t)((char)arg1 + 0x20); //<————– (2) fffff80732f43981 int32_t rbx; fffff80732f43981 int32_t rcx_3; fffff80732f43981 int32_t* rdx_2; fffff80732f43981
fffff80732f43981 if (!route) fffff80732f43981 { fffff80732f439c9 int64_t var_38 = 0; fffff80732f439d2 int64_t var_28_1 = 0; fffff80732f439d7 uint128_t* keyBuffer_1 = keyBuffer; fffff80732f439db int32_t* rax_2 = NsipGetNmpContext(&var_38); //<———— (3) fffff80732f439e0 rcx_3 = rax_2; fffff80732f439e0
fffff80732f439e6 if (!rax_2) fffff80732f439fa rbx = -0x3ffffddb; fffff80732f439e8 struct InterfaceDispatch* dispatcherObject = fffff80732f439e8 (uint64_t)((char)rax_2 + 0x30); //<———— (4) fffff80732f439ec uint64_t TableIndex = fffff80732f439ec (uint64_t)(uint32_t)((char)keyBuffer + 0x18); fffff80732f439ec
fffff80732f439f3 if ((uint32_t)TableIndex <= dispatcherObject->maxVtableIndex) //<———— (5) fffff80732f439f3 { fffff80732f43a05 rdx_2 = TableIndex * 0x68 + dispatcherObject->vtable; fffff80732f43a09 rbx = 0; fffff80732f43a0b label_fffff80732f43a0b: fffff80732f43a0b int128_t* r8_3 = (uint64_t)((char)arg1 + 0x48); fffff80732f43a0b
fffff80732f43a12 if (r8_3) fffff80732f43a12 { fffff80732f43a14 *(uint32_t
)((char)arg1 + 0x50) = 0x10; fffff80732f43a1d (uint32_t)var_38 = *(uint32_t)rdx_2; fffff80732f43a23 (uint32_t)((char)&var_38 + 4) = rdx_2[1]; fffff80732f43a29 (uint32_t)keyBuffer_1 = rdx_2[2]; fffff80732f43a2f *(uint32_t)((char)&keyBuffer_1 + 4) = rdx_2[3]; fffff80732f43a36 *(uint128_t)r8_3 = var_38; fffff80732f43a12 } fffff80732f43a12
fffff80732f43a3b (uint32_t)((char)arg1 + 0x30) = 0; fffff80732f43a3f *(uint32_t)((char*)arg1 + 0x40) = 0; fffff80732f43a43 NsipDereferenceNmpContext(rcx_3); fffff80732f439f3 } fffff80732f439f3 else fffff80732f439f3 { fffff80732f439f5 NsipDereferenceNmpContext(rcx_3); fffff80732f439fa rbx = -0x3ffffddb; fffff80732f439f3 } fffff80732f439e6 }

```

At (1), the user-controlled input buffer, KeyBuffer, is read. At (2), route is read. This is a user-controlled value, and the vulnerable code path is followed when the value of route is 0x00. The structure of KeyBuffer is as follows:

Offset Size Name -------------------------- 0x00 0x04 Length 0x04 0x04 Type 0x08 0x10 GUID 0x18 0x04 TableIndex

The NsipGetNmpContext method is called at (3), which uses the GUID from KeyBuffer to select dispatcherObject. dispatcherObject is assigned at (4). The dispatcherObject contains a vtable and the properties of each function pointer present in the vtable. The maxVtableIndex field of dispatcherObject indicates the maximum number of function pointers present in the vtable. The TableIndex field of KeyBuffer is used to access the properties of a function pointer from the vtable, which are returned in the output buffer.

The vulnerability occurs at (5), where the code checks whether TableIndex is less than or equal to maxVtableIndex; however, TableIndex should always be less than maxVtableIndex. This allows an off-by-one read of the vtable properties. This can result in the disclosure of 0x10 bytes, corresponding to the size of the output buffer.

This can be observed while debugging the machine with WinDbg:

``` 1: kd> g Breakpoint 4 hit NETIO!NsipGetAllInformationProviderParameters+0x88: fffff80732f439e8 4c8b4030 mov r8,qword ptr [rax+30h] 0: kd> r rax=ffff8a8b0c4c9130 rbx=ffff8a8b117313b8 rcx=ffff8a8b0c4c9130 rdx=fffff807331f5cc0 rsi=0000000000000010 rdi=ffff8982d4daed60 rip=fffff80732f439e8 rsp=ffff8982d4daec80 rbp=ffff8982d4daecc0 r8=0000000000000000 r9=fffff80732f74c90 r10=fffff8079f5f9690 r11=ffff8982d4daecc0 r12=ffff8982d4daedb0 r13=fffff80732f74470 r14=ffff8a8b11be5b10 r15=fffff80732f5b4f0 iopl=0 nv up ei ng nz na pe nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00040286 NETIO!NsipGetAllInformationProviderParameters+0x88: fffff80732f439e8 4c8b4030 mov r8,qword ptr [rax+30h] ds:002b:ffff8a8b0c4c9160={tcpip!TcpNsiInterfaceDispatch (fffff80733238270)} ;<——————— (A) 0: kd> p NETIO!NsipGetAllInformationProviderParameters+0x8c: fffff80732f439ec 8b4318 mov eax,dword ptr [rbx+18h] 0: kd> r rax=ffff8a8b0c4c9130 rbx=ffff8a8b117313b8 rcx=ffff8a8b0c4c9130 rdx=fffff807331f5cc0 rsi=0000000000000010 rdi=ffff8982d4daed60 rip=fffff80732f439ec rsp=ffff8982d4daec80 rbp=ffff8982d4daecc0 r8=fffff80733238270 r9=fffff80732f74c90 r10=fffff8079f5f9690 r11=ffff8982d4daecc0 r12=ffff8982d4daedb0 r13=fffff80732f74470 r14=ffff8a8b11be5b10 r15=fffff80732f5b4f0 iopl=0 nv up ei ng nz na pe nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00040286 NETIO!NsipGetAllInformationProviderParameters+0x8c: fffff80732f439ec 8b4318 mov eax,dword ptr [rbx+18h] ds:002b:ffff8a8b117313d0=00000026 ; <----------- (B) 0: kd> p NETIO!NsipGetAllInformationProviderParameters+0x8f: fffff80732f439ef 413b4004 cmp eax,dword ptr [r8+4] 0: kd> r rax=0000000000000026 rbx=ffff8a8b117313b8 rcx=ffff8a8b0c4c9130 rdx=fffff807331f5cc0 rsi=0000000000000010 rdi=ffff8982d4daed60 rip=fffff80732f439ef rsp=ffff8982d4daec80 rbp=ffff8982d4daecc0 r8=fffff80733238270 r9=fffff80732f74c90 r10=fffff8079f5f9690 r11=ffff8982d4daecc0 r12=ffff8982d4daedb0 r13=fffff80732f74470 r14=ffff8a8b11be5b10 r15=fffff80732f5b4f0 iopl=0 nv up ei ng nz na pe nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00040286 NETIO!NsipGetAllInformationProviderParameters+0x8f: fffff80732f439ef 413b4004 cmp eax,dword ptr [r8+4] ds:002b:fffff80733238274=00000026 ;<——————— (C) 0: kd> db rbx L1c ;<————— (D) ffff8a8b117313b8 18 00 00 00 01 00 00 00-03 4a 00 eb 1a 9b d4 11 .........J...... ffff8a8b117313c8 91 23 00 50 04 77 59 bc-26 00 00 00 .#.P.wY.&… 0: kd> p NETIO!NsipGetAllInformationProviderParameters+0x93: fffff80732f439f3 760c jbe NETIO!NsipGetAllInformationProviderParameters+0xa1 (fffff80732f43a01) 0: kd> p NETIO!NsipGetAllInformationProviderParameters+0xa1: fffff80732f43a01 486bd068 imul rdx,rax,68h 0: kd> r rax=0000000000000026 rbx=ffff8a8b117313b8 rcx=ffff8a8b0c4c9130 rdx=fffff807331f5cc0 rsi=0000000000000010 rdi=ffff8982d4daed60 rip=fffff80732f43a01 rsp=ffff8982d4daec80 rbp=ffff8982d4daecc0 r8=fffff80733238270 r9=fffff80732f74c90 r10=fffff8079f5f9690 r11=ffff8982d4daecc0 r12=ffff8982d4daedb0 r13=fffff80732f74470 r14=ffff8a8b11be5b10 r15=fffff80732f5b4f0 iopl=0 nv up ei pl zr na pe nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00040246 NETIO!NsipGetAllInformationProviderParameters+0xa1: fffff80732f43a01 486bd068 imul rdx,rax,68h 0: kd> p NETIO!NsipGetAllInformationProviderParameters+0xa5: fffff80732f43a05 49035008 add rdx,qword ptr [r8+8] 0: kd> p NETIO!NsipGetAllInformationProviderParameters+0xa9: fffff80732f43a09 33db xor ebx,ebx 0: kd> r rax=0000000000000026 rbx=ffff8a8b117313b8 rcx=ffff8a8b0c4c9130 rdx=fffff80733229210 rsi=0000000000000010 rdi=ffff8982d4daed60 rip=fffff80732f43a09 rsp=ffff8982d4daec80 rbp=ffff8982d4daecc0 r8=fffff80733238270 r9=fffff80732f74c90 r10=fffff8079f5f9690 r11=ffff8982d4daecc0 r12=ffff8982d4daedb0 r13=fffff80732f74470 r14=ffff8a8b11be5b10 r15=fffff80732f5b4f0 iopl=0 nv up ei ng nz na po nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00040282 NETIO!NsipGetAllInformationProviderParameters+0xa9: fffff80732f43a09 33db xor ebx,ebx 0: kd> dq fffff80733229210 L2 ;<--------------- (E) fffff80733229210 fffff8073316a100 fffff807330dc3a0 0: kd> p NETIO!NsipGetAllInformationProviderParameters+0xab: fffff807`32f43a0b 4c8b4748 mov r8,qword ptr [rdi+48h]

```

GUID {eb004a03-9b1a-11d4-9123-0050047759bc} returns the TcpNsiInterfaceDispatch dispatcherObject, as shown at (A). The value of maxVtableIndex for TcpNsiInterfaceDispatch is 0x26. At (C), it can be observed that TableIndex is 0x26, causing the comparison to evaluate to true. This results in a leak of the addresses shown in (E). The same addresses are observed in the PoC:

``` [+] Successfully opened NSI device handle: 0x3e0 […]

[+] DeviceIoControl succeeded! [+] Raw ouput data: b’\x00\xa1\x163\x07\xf8\xff\xff\xa0\xc3\r3\x07\xf8\xff\xff’ [+] leak_1: FFFFF8073316A100 [+] leak_2: FFFFF807330DC3A0 [+] tcpip.sys base address=0xFFFFF80733010000 for version 10.0.26100.8457

```

The PoC calculates the tcpip.sys base address from the leaked address. The base address of tcpip.sys can be verified in the debugger. ``` 1: kd> lmm tcpip Browse full module list start end module name fffff80733010000 fffff80733369000 tcpip (pdb symbols) C:\ProgramData\Dbg\sym\tcpip.pdb\D6947ED1ADE91B23FA5AFE8178A2AF0F1\tcpip.pdb

```

Vendor Response (CVE-2026-50475)

Vendor Link: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50475

Timeline

2026-06-12 - Vendor Disclosure
2026-07-14 - Vendor Patch Release
2026-07-14 - Public Release

Credit

KPC of Cisco Talos