CVE-2018-5410 in Dokan
Summary
by MITRE
Dokan, versions between 1.0.0.5000 and 1.2.0.1000, are vulnerable to a stack-based buffer overflow in the dokan1.sys driver. An attacker can create a device handle to the system driver and send arbitrary input that will trigger the vulnerability. This vulnerability was introduced in the 1.0.0.5000 version update.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/25/2026
The vulnerability identified as CVE-2018-5410 affects Dokan file system drivers versioned between 1.0.0.5000 and 1.2.0.1000, representing a critical stack-based buffer overflow flaw within the dokan1.sys kernel driver component. This issue arises from insufficient input validation and bounds checking mechanisms within the driver's processing logic, creating a potential entry point for malicious exploitation. The vulnerability was specifically introduced during the 1.0.0.5000 version update, indicating that the buffer overflow condition was inadvertently introduced through code changes or modifications to the driver's handling of device control requests. The flaw exists in the kernel-mode driver code where user-supplied data is processed without adequate sanitization or size verification, making it susceptible to memory corruption attacks.
The technical exploitation of this vulnerability occurs when an attacker establishes a device handle to the vulnerable dokan1.sys driver and subsequently sends crafted input data through device control commands. This input data triggers the buffer overflow condition in the kernel space, where the driver fails to properly validate the size of incoming buffers before copying data into fixed-size stack buffers. The stack-based nature of the overflow means that the attacker can overwrite adjacent stack memory locations, potentially corrupting return addresses, function pointers, or other critical execution context data. The vulnerability's exploitation path follows a typical kernel-mode buffer overflow attack pattern where the attacker leverages the device handle to gain control over the driver's execution flow, potentially enabling privilege escalation to kernel-level access.
The operational impact of CVE-2018-5410 extends beyond simple denial-of-service conditions, as this vulnerability can enable full system compromise when successfully exploited. An attacker with local access to a system running vulnerable Dokan versions can leverage this flaw to execute arbitrary code with kernel-level privileges, bypassing standard operating system security mechanisms and access controls. The vulnerability affects any system utilizing Dokan-based file system drivers, including applications that rely on Dokan for creating virtual file systems, network drives, or cloud storage integrations. This makes the attack surface particularly broad across enterprise environments where Dokan is used for legitimate file system virtualization purposes, potentially allowing attackers to establish persistent backdoors, escalate privileges, or extract sensitive data from protected system areas.
Mitigation strategies for CVE-2018-5410 should prioritize immediate patching of affected Dokan versions to 1.2.0.1001 or later, which contains the necessary fixes for the buffer overflow condition. Organizations should implement comprehensive monitoring for suspicious device handle creation and device control operations that may indicate exploitation attempts. System administrators should also consider disabling Dokan-based applications temporarily if immediate patching is not feasible, while maintaining strict access controls to prevent unauthorized users from creating device handles to the vulnerable driver. The vulnerability aligns with CWE-121 stack-based buffer overflow classification and maps to attack techniques documented in MITRE ATT&CK framework under privilege escalation and kernel-mode exploitation tactics. Security teams should also implement endpoint detection and response solutions capable of identifying anomalous kernel-mode memory access patterns and device driver interactions that may indicate exploitation of this vulnerability.