Talos Vulnerability Report TALOS-2024-2129 Dell ControlVault3 cv_close arbitrary free vulnerability August 9, 2025 CVE Number CVE-2025-25215 SUMMARY An arbitrary free vulnerability exists in the cv_close functionality of Dell ControlVault3 5.14.3.0. A specially crafted ControlVault API call can lead to an arbitrary free. An attacker can forge a fake session to trigger this vulnerability. CONFIRMED VULNERABLE VERSIONS The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor. Broadcom BCM5820X Dell ControlVault3 5.14.3.0 Dell ControlVault3 Driver and Firmware prior to 5.15.10.14 Dell ControlVault3 Plus Driver and Firmware prior to 6.2.26.36 PRODUCT URLS ControlVault3 – https://dell.com/ BCM5820X – https://www.broadcom.com/products/embedded-and-networking-processors/secure/bcm5820x CVSSv3 SCORE 8.2 – CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H CWE CWE-763 – Release of Invalid Pointer or Reference DETAILS Dell ControlVault is a hardware based solution that can securely store passwords, biometric templates and security codes. It can interface with smart cards, Near-field Communication (NFC) devices and fingerprint readers. The hardware solution is based on the Broadcom BCM5820X chip series. Context On windows, any low privilege user can interface with the ControlVault3 hardware. In order to do so, a userland dll bcmbipdll.dll can be used to talk with the device driver cvusbdrv.sys which in turns talk over USB to…Read More