Overview
A privilege escalation vulnerability exists in the tdeio64.sys driver due to an unprotected input/output control (IOCTL) dispatch routine that fails to validate the origin and permissions of user-supplied requests. An unprivileged local attacker can abuse exposed IOCTL dispatch routines [RM1.1][MB1.2]to perform arbitrary kernel memory read and write operations, ultimately obtaining NT AUTHORITY\SYSTEM privileges and compromising the security of the affected system.
Description
The tdeio64.sys driver distributed by Pegatron Corporation, a Taiwanese electronics manufacturer that produces motherboards and OEM components, is a Windows Driver Model (WDM) driver that provides low-level access to system I/O ports and hardware components. The driver exposes the \\.\TdeIo device interface and processes privileged IOTL requests without enforcing adequate access control or validating user-supplied memory addresses.
CVE-2026-14961 By sending a crafted DeviceIoControl request, an unprivileged attacker can abuse the driver's IOCTL dispatcher to perform arbitrary kernel memory reads and writes. This capability can be used to overwrite the current process token with the SYSTEM process token, resulting in privilege escalation to NT AUTHORITY\SYSTEM.
CVE-2026-14960 In addition to arbitrary kernel memory access, the driver exposes IOCTLs capable of interacting directly with hardware I/O ports. An attacker who successfully exploits these interfaces may be able to manipulate hardware resources in ways that extend beyond normal operating system protections.
Impact
Successful exploitation provides an attacker with arbitrary kernel read and write capabilities, enabling a complete compromise of the operating system. An attacker can elevate privileges to NT AUTHORITY\SYSTEM, bypass or disable endpoint security controls, extract credentials from protected processes such as lsass.exe, install persistent rootkits, manipulate kernel data structures, and issue low-level hardware I/O operations.
Solution
At the time of publication, no vendor-supported fix is available for the Pegatron tdeio64.sys kernel driver vulnerability.
Mitigations
Organizations should disable or remove the vulnerable driver where it is not required, prevent untrusted users from loading or interacting with the driver, and implement solutions such as Windows Defender Application Control (WDAC) or Hypervisor-Protected Code Integrity (HVCI) to block known vulnerable drivers from loading where supported.
Acknowledgements
Thanks to Lucian Alexandru Necula for researching and reporting this vulnerability. This document was written by Michael Bragg.
Vendor Information
Other Information
| CVE IDs: | CVE-2026-14960 CVE-2026-14961 |
| API URL: | VINCE JSON | CSAF |
| Date Public: | 2026-07-15 |
| Date First Published: | 2026-07-15 |
| Date Last Updated: | 2026-07-15 17:09 UTC |
| Document Revision: | 2 |