CVE-2025-36463 is a buffer access vulnerability categorized under CWE-805 that affects the Broadcom BCM5820X component integrated into Dell ControlVault3 and ControlVault3 Plus devices. The flaw arises from improper validation of the SendBufferSize parameter in the WinBioControlUnit API call, specifically when the ControlCode 4 (WBIO_USH_ADD_RECORD) is used. This leads to multiple out-of-bounds reads and writes, causing memory corruption. The vulnerability requires an attacker to have local privileges (PR:L) and involves user interaction (UI:R), as the attacker must issue a crafted API call to the StorageAdapter. The CVSS 3.1 base score is 7.3, reflecting high impact on confidentiality, integrity, and availability. The scope is unchanged (S:U), meaning the impact is limited to the vulnerable component. Although no public exploits are known, the vulnerability could be leveraged to execute arbitrary code, escalate privileges, or cause denial of service on affected systems. The affected products include Dell ControlVault3 versions prior to 5.15.14.19 and ControlVault3 Plus prior to 6.2.36.47. The vulnerability was reserved in April 2025 and published in November 2025. No patches were linked at the time of reporting, indicating organizations must monitor vendor updates closely.

This vulnerability poses a significant risk to organizations using Dell ControlVault3 and ControlVault3 Plus devices that incorporate Broadcom BCM5820X components, especially in environments relying on biometric authentication or secure storage functions. Successful exploitation can lead to memory corruption, enabling attackers to execute arbitrary code with elevated privileges, potentially bypassing security controls. This compromises confidentiality by exposing sensitive biometric or security data, integrity by allowing unauthorized modification, and availability by causing system crashes or denial of service. The requirement for local privileges and user interaction limits remote exploitation but insider threats or malware with user-level access could exploit this flaw. The absence of known exploits currently reduces immediate risk but the high CVSS score and potential impact necessitate urgent mitigation. Organizations in sectors such as government, finance, healthcare, and critical infrastructure that deploy these devices are particularly vulnerable to targeted attacks leveraging this vulnerability.

Organizations should immediately inventory affected Dell ControlVault3 and ControlVault3 Plus devices to identify vulnerable versions. Although no patches were available at the time of disclosure, monitoring Dell and Broadcom security advisories for updates is critical. Once patches are released, prompt deployment is essential. In the interim, restrict access to the WinBioControlUnit API and related StorageAdapter interfaces to trusted users only, employing strict access controls and application whitelisting. Implement endpoint protection solutions capable of detecting anomalous API calls or memory corruption attempts. Conduct user awareness training to reduce the risk of social engineering that could lead to user interaction exploitation. Employ network segmentation to isolate systems with these devices, limiting lateral movement opportunities. Regularly audit and monitor logs for suspicious activity related to biometric or storage adapter operations. Finally, consider disabling or limiting biometric authentication features if feasible until the vulnerability is remediated.