CVE-2025-36462 is a buffer access vulnerability classified under CWE-805, affecting the Broadcom BCM5820X component integrated into Dell ControlVault3 and ControlVault3 Plus security modules. The flaw arises from improper validation of the ReceiveBufferSize parameter in the WinBioControlUnit API call, specifically when the ControlCode 3 (WBIO_USH_CREATE_CHALLENGE) is invoked. This leads to multiple out-of-bounds memory reads and writes, causing memory corruption. The vulnerability requires local privileges (AV:L) and low complexity (AC:L) to exploit, with some user interaction (UI:R) needed to trigger the malicious API call. The impact scope is unchanged (S:U), but the consequences are severe, with high confidentiality, integrity, and availability impacts (C:H/I:H/A:H). The affected versions are Dell ControlVault3 prior to 5.15.14.19 and ControlVault3 Plus prior to 6.2.36.47. Although no public exploits have been observed, the vulnerability poses a significant risk due to the sensitive nature of ControlVault modules, which handle biometric authentication and secure key storage. The vulnerability was reserved in April 2025 and published in November 2025. No patches are currently linked, indicating that organizations should monitor vendor advisories closely. The vulnerability could allow an attacker with local access to escalate privileges, bypass security controls, or cause denial of service by corrupting memory within the security module firmware.

For European organizations, the impact of CVE-2025-36462 is substantial, especially for enterprises and government agencies relying on Dell hardware with ControlVault3 modules for biometric authentication or cryptographic key management. Exploitation can lead to unauthorized access to sensitive biometric data, credential theft, or complete compromise of the security module, undermining trust in device integrity. This could facilitate lateral movement within networks, data breaches, or disruption of critical services. The requirement for local privileges and user interaction somewhat limits remote exploitation but does not eliminate risk in environments where attackers can gain initial access or trick users into triggering the vulnerability. The high confidentiality, integrity, and availability impact ratings indicate potential for severe operational disruption and data loss. Organizations in sectors such as finance, healthcare, manufacturing, and government, which often deploy Dell hardware with these modules, are particularly vulnerable. The lack of known exploits currently provides a window for proactive mitigation before active attacks emerge.

1. Monitor Dell and Broadcom security advisories for the release of patches addressing CVE-2025-36462 and apply them immediately upon availability. 2. Restrict local access to systems with affected ControlVault3 modules to trusted users only, minimizing the risk of privilege escalation. 3. Implement strict endpoint security controls to prevent unauthorized execution of API calls like WinBioControlUnit, including application whitelisting and behavioral monitoring. 4. Educate users about social engineering risks that could lead to triggering the vulnerability via user interaction. 5. Employ network segmentation to isolate critical systems using affected hardware, limiting lateral movement opportunities. 6. Conduct regular audits of biometric and security module logs to detect anomalous API usage or suspicious activity. 7. Consider temporary disabling or restricting biometric authentication features if feasible until patches are applied. 8. Collaborate with hardware vendors to confirm affected device inventories and firmware versions in use within the organization.