{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/529388#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nA privilege escalation vulnerability exists in the `tdeio64.sys` driver due to an unprotected input/output control (IOCTL) dispatch routine that fails to validate the origin and permissions of user-supplied requests. An unprivileged local attacker can abuse exposed IOCTL dispatch routines [RM1.1][MB1.2]to perform arbitrary kernel memory read and write operations, ultimately obtaining `NT AUTHORITY\\SYSTEM` privileges and compromising the security of the affected system.\r\n\r\n### Description\r\nThe `tdeio64.sys` driver distributed by Pegatron Corporation, a Taiwanese electronics manufacturer that produces motherboards and OEM components, is a Windows Driver Model (WDM) driver that provides low-level access to system I/O ports and hardware components. The driver exposes the `\\\\.\\TdeIo` device interface and processes privileged IOTL requests without enforcing adequate access control or validating user-supplied memory addresses. \r\n\r\n**CVE-2026-14961** By sending a crafted `DeviceIoControl` request, an unprivileged attacker can abuse the driver's IOCTL dispatcher to perform arbitrary kernel memory reads and writes. This capability can be used to overwrite the current process token with the `SYSTEM` process token, resulting in privilege escalation to `NT AUTHORITY\\SYSTEM`. \r\n\r\n**CVE-2026-14960** In addition to arbitrary kernel memory access, the driver exposes IOCTLs capable of interacting directly with hardware I/O ports. An attacker who successfully exploits these interfaces may be able to manipulate hardware resources in ways that extend beyond normal operating system protections. \r\n\r\n### Impact\r\nSuccessful exploitation provides an attacker with arbitrary kernel read and write capabilities, enabling a complete compromise of the operating system. An attacker can elevate privileges to `NT AUTHORITY\\SYSTEM`, bypass or disable endpoint security controls, extract credentials from protected processes such as `lsass.exe`, install persistent rootkits, manipulate kernel data structures, and issue low-level hardware I/O operations. \r\n\r\n### Solution\r\nAt the time of publication, no vendor-supported fix is available for the Pegatron `tdeio64.sys` kernel driver vulnerability.\r\n#### Mitigations\r\nOrganizations should disable or remove the vulnerable driver where it is not required, prevent untrusted users from loading or interacting with the driver, and implement solutions such as Windows Defender Application Control (WDAC) or Hypervisor-Protected Code Integrity (HVCI) to block known vulnerable drivers from loading where supported. \r\n\r\n### Acknowledgements\r\nThanks to Lucian Alexandru Necula for researching and reporting this vulnerability. This document was written by Michael Bragg.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/529388"}],"title":"Privilege escalation vulnerability via unprotected IOCTL interface in Pegatron Tdelo64.sys","tracking":{"current_release_date":"2026-07-15T17:09:58+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.43"}},"id":"VU#529388","initial_release_date":"2026-07-15 17:08:59.226529+00:00","revision_history":[{"date":"2026-07-15T17:09:58+00:00","number":"1.20260715170958.2","summary":"Released on 2026-07-15T17:09:58+00:00"}],"status":"final","version":"1.20260715170958.2"}},"vulnerabilities":[{"title":"Pegatron `Tdelo64.","notes":[{"category":"summary","text":"Pegatron `Tdelo64.sys` exposes a privileged device interface, `\\\\.\\TdeIo`, that fails to properly restrict access to sensitive IOCTL functionality. The driver's IOCTL dispatcher does not validate caller privileges or verify user-supplied kernel memory addresses before performing memory operations. By sending crafted requests to IOCTL, a local attacker can achieve arbitrary kernel memory read and write operations, leading to privilege escalation to `NT AUTHORITY\\SYSTEM`, security product bypass, credential theft, or complete system compromise."}],"cve":"CVE-2026-14961","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#529388"}]},{"title":"Pegatron `Tdelo64.","notes":[{"category":"summary","text":"Pegatron `Tdelo64.sys` improperly exposes privileged hardware access functionality through the `\\\\.\\TdeIo` device interface. IOCTL handlers including `TDE_IOCTL_INDEXIO_READ` and `TDE_IOCTL_INDEXIO_WRITE` permit unprivileged user-mode callers to perform arbitrary hardware I/O port reads and writes without authorization checks. A local attacker can abuse this functionality to manipulate hardware registers, tamper with firmware-related interfaces, cause system instability, or establish persistent low-level compromise."}],"cve":"CVE-2026-14960","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#529388"}]}],"product_tree":{"branches":[]}}