Nettitude Blog

McAfee File Lock Driver - Kernel Memory Leak

Posted by Kyriakos Economou on Jan 26, 2016 3:28:49 PM
  • CVE: CVE-2015-8772
  •  Vendor: McAfee - Intel Security
  •  Reported by: Kyriakos Economou
  •  Date of Release: 26/01/2016
  •  Date of Fix: N/A
  •  Affected Products: Multiple
  •  Affected Version: McPvDrv.sys v4.6.111.0
  •  Fixed Version: N/A


McAfee File Lock Driver does not handle correctly IOCTL_DISK_VERIFY IOCTL requests, which leads to kernel memory leak through specifically crafted IOCTLs. Normally the IOCTL_DISK_VERIFY IOCTL is used to verify an extent on a fixed disk and doesn't return any data.

We have verified this issue in the latest McAfee File Lock v5.x which ships with McAfee total protection suite. However, other products that include this package will also be affected.

Vulnerable module: McPvDrv.sys v4.6.111.0

Earlier versions of this kernel driver are probably affected by the same issue.


A local attacker might be able to disclose sensitive information from kernel memory or crash the affected host.

Technical Details:

When we send an IOCTL_DISK_VERIFY IOCTL request the input buffer parameter of DeviceIoControl function must be a pointer to a VERIFY_INFORMATION data structure.

typedef struct _VERIFY_INFORMATION {
LARGE_INTEGER StartingOffset;
DWORD Length;

The kernel memory leak is generated by the fact that the McPvDrv.sys driver doesn't validate the VERIFY_INFORMATION.Length which is controlled by our input buffer. Furthermore, the driver trusts that value as the size of the input buffer allocated in kernel space, causing the associated function to read data passed the size of the speficied input buffer and read arbitrary data from kernel address space back to userland into a specified output buffer.

Disclosure Log:

Vendor Contacted: 16/09/2015
Request for feedback: 21/09/2015 - No response
Request for feedback: 08/10/2015 - No response
Request for feedback: 13/01/2016 - No response
Public Disclosure: 26/01/2016


Copyright © Nettitude Limited 2016, All rights reserved worldwide.


The information herein contained may change without notice. Any use of this information is at the user’s risk and discretion and is provided with no warranties. Nettitude and the author cannot be held liable for any impact resulting from the use of this information.

To contact Nettitude’s editor, please email

Topics: Security Blog, Uncategorized

About Nettitude

Nettitude is the trusted cyber security provider to thousands of businesses around the world. We stop at nothing to keep your data and business secure in an age of ever-evolving cyber threats.

In 2018, Nettitude became part of Lloyd’s Register, an 8,000 person strong professional services organisation, with 300 years of heritage in safety and risk management. Nettitude now provides true global coverage, through a network of over 180 offices strategically placed around the globe.

Subscribe Here!

Recent Posts