Intel QuickAssist Technology
CVE-2025-35998
HIGH
Severity by source
CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local access with pre-existing Ring 0 privileges (PR:H), and the stated attack requirement plus 'special internal knowledge' justify AC:H; high confidentiality/integrity to kernel state, no availability impact, no scope change.
Primary rating from Vendor (intel).
CVSS VectorVendor: intel
CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionCVE.org
Missing protection mechanism for alternate hardware interface in the Intel(R) Quick Assist Technology for some Intel(R) Platforms within Ring 0: Kernel may allow an escalation of privilege. System software adversary with a privileged user combined with a low complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present with special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.
AnalysisAI
Privilege escalation in Intel QuickAssist Technology (QAT) on certain Intel platforms allows a system-software adversary already holding privileged (Ring 0 / kernel-level) access to read and corrupt kernel state via an unprotected alternate hardware interface. The flaw stems from a missing protection mechanism on a secondary hardware control path, yielding high confidentiality and integrity impact but no availability loss. There is no public exploit identified at time of analysis, EPSS is negligible (0.01%), and it is not listed in CISA KEV.
Technical ContextAI
Intel QuickAssist Technology is a hardware accelerator integrated into select Intel server platforms (Xeon-class CPUs and chipsets) that offloads cryptographic and compression workloads from the CPU, exposed to the OS through kernel-mode drivers and device interfaces. The root cause is CWE-1299 (Missing Protection Mechanism for Alternate Hardware Interface): the device exposes a secondary/alternate hardware interface that lacks the access-control or protection enforcement applied to the primary interface, so a privileged kernel-level actor can reach state that should have been gated. Because the affected component operates within Ring 0, any weakness in the interface directly intersects the most trusted execution context, where confidentiality and integrity guarantees of kernel memory and device state are at stake.
Affected ProductsAI
The vulnerability affects Intel QuickAssist Technology (QAT) on 'some Intel Platforms' per Intel advisory INTEL-SA-01406 (https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01406.html); exact affected platform/firmware/driver version ranges are enumerated in that advisory and were not provided as discrete CPE entries in the input. Red Hat tracks Linux distribution exposure for CVE-2025-35998 (https://access.redhat.com/security/cve/CVE-2025-35998) with errata RHSA-2026:6888 (https://access.redhat.com/errata/RHSA-2026:6888), Bugzilla 2438523, and a machine-readable VEX record (https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-35998.json) covering the affected Linux QAT kernel driver packages.
RemediationAI
Apply the vendor fixes: update Intel QuickAssist Technology firmware/drivers to the patched releases identified in Intel advisory INTEL-SA-01406, and on Red Hat Enterprise Linux apply the kernel/driver update shipped in RHSA-2026:6888 (and equivalent updates from your distribution) - Patch available per vendor advisory; exact fixed version numbers are specified in those advisories and should be taken from them rather than assumed. If immediate patching is not possible, reduce exposure of the alternate hardware interface by restricting which workloads and tenants are granted kernel/privileged access to QAT-enabled hosts, disabling QAT acceleration where it is not required (side effect: loss of crypto/compression offload performance, falling back to software paths), and tightening host trust boundaries on systems where untrusted privileged software could run. Because exploitation already requires Ring 0 / privileged access, hardening the set of code permitted at that level is the most effective compensating control.
An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel Active Mana
Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable
The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and
Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable
Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable
Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable
Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable
Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable
Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable
Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable
Local privilege escalation to SYSTEM in Intel Ethernet diagnostics driver (IQVW32.sys/IQVW64.sys versions before 1.3.1.0
Arbitrary code execution in Apple Safari, iOS/iPadOS, macOS Sequoia, and visionOS occurs when processing maliciously cra
Same technique Privilege Escalation
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today