{"vuid":"VU#529388","idnumber":"529388","name":"Privilege escalation vulnerability via unprotected IOCTL interface in Pegatron Tdelo64.sys","keywords":null,"overview":"### Overview\r\nA privilege escalation vulnerability exists in the `tdeio64.sys` driver due to an unprotected input/output control (IOCTL) dispatch routine that fails to validate the origin and permissions of user-supplied requests. An unprivileged local attacker can abuse exposed IOCTL dispatch routines [RM1.1][MB1.2]to perform arbitrary kernel memory read and write operations, ultimately obtaining `NT AUTHORITY\\SYSTEM` privileges and compromising the security of the affected system.\r\n\r\n### Description\r\nThe `tdeio64.sys` driver distributed by Pegatron Corporation, a Taiwanese electronics manufacturer that produces motherboards and OEM components, is a Windows Driver Model (WDM) driver that provides low-level access to system I/O ports and hardware components. The driver exposes the `\\\\.\\TdeIo` device interface and processes privileged IOTL requests without enforcing adequate access control or validating user-supplied memory addresses. \r\n\r\n**CVE-2026-14961** By sending a crafted `DeviceIoControl` request, an unprivileged attacker can abuse the driver's IOCTL dispatcher to perform arbitrary kernel memory reads and writes. This capability can be used to overwrite the current process token with the `SYSTEM` process token, resulting in privilege escalation to `NT AUTHORITY\\SYSTEM`. \r\n\r\n**CVE-2026-14960** In addition to arbitrary kernel memory access, the driver exposes IOCTLs capable of interacting directly with hardware I/O ports. An attacker who successfully exploits these interfaces may be able to manipulate hardware resources in ways that extend beyond normal operating system protections. \r\n\r\n### Impact\r\nSuccessful exploitation provides an attacker with arbitrary kernel read and write capabilities, enabling a complete compromise of the operating system. An attacker can elevate privileges to `NT AUTHORITY\\SYSTEM`, bypass or disable endpoint security controls, extract credentials from protected processes such as `lsass.exe`, install persistent rootkits, manipulate kernel data structures, and issue low-level hardware I/O operations. \r\n\r\n### Solution\r\nAt the time of publication, no vendor-supported fix is available for the Pegatron `tdeio64.sys` kernel driver vulnerability.\r\n#### Mitigations\r\nOrganizations should disable or remove the vulnerable driver where it is not required, prevent untrusted users from loading or interacting with the driver, and implement solutions such as Windows Defender Application Control (WDAC) or Hypervisor-Protected Code Integrity (HVCI) to block known vulnerable drivers from loading where supported. \r\n\r\n### Acknowledgements\r\nThanks to Lucian Alexandru Necula for researching and reporting this vulnerability. This document was written by Michael Bragg.","clean_desc":null,"impact":null,"resolution":null,"workarounds":null,"sysaffected":null,"thanks":null,"author":null,"public":[],"cveids":["CVE-2026-14960","CVE-2026-14961"],"certadvisory":null,"uscerttechnicalalert":null,"datecreated":"2026-07-15T17:08:59.341353Z","publicdate":"2026-07-15T17:08:59.226529Z","datefirstpublished":"2026-07-15T17:08:59.351349Z","dateupdated":"2026-07-15T17:09:58.993740Z","revision":2,"vrda_d1_directreport":null,"vrda_d1_population":null,"vrda_d1_impact":null,"cam_widelyknown":null,"cam_exploitation":null,"cam_internetinfrastructure":null,"cam_population":null,"cam_impact":null,"cam_easeofexploitation":null,"cam_attackeraccessrequired":null,"cam_scorecurrent":null,"cam_scorecurrentwidelyknown":null,"cam_scorecurrentwidelyknownexploited":null,"ipprotocol":null,"cvss_accessvector":null,"cvss_accesscomplexity":null,"cvss_authentication":null,"cvss_confidentialityimpact":null,"cvss_integrityimpact":null,"cvss_availabilityimpact":null,"cvss_exploitablity":null,"cvss_remediationlevel":null,"cvss_reportconfidence":null,"cvss_collateraldamagepotential":null,"cvss_targetdistribution":null,"cvss_securityrequirementscr":null,"cvss_securityrequirementsir":null,"cvss_securityrequirementsar":null,"cvss_basescore":null,"cvss_basevector":null,"cvss_temporalscore":null,"cvss_environmentalscore":null,"cvss_environmentalvector":null,"metric":null,"vulnote":218}