CVE-2006-4926 in Kaspersky Labinfo

Summary

by MITRE

The NDIS-TDI Hooking Engine, as used in the (1) KLICK (KLICK.SYS) and (2) KLIN (KLIN.SYS) device drivers 2.0.0.281 for in Kaspersky Labs Anti-Virus 6.0.0.303 and other Anti-Virus and Internet Security products, allows local users to execute arbitrary code via crafted Irp structure with invalid addresses in the 0x80052110 IOCTL.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 04/25/2026

The vulnerability described in CVE-2006-4926 represents a critical security flaw within the NDIS-TDI Hooking Engine implementation in Kaspersky Labs anti-virus products. This vulnerability specifically affects the KLICK.SYS and KLIN.SYS device drivers version 2.0.0.281, which are integral components of Kaspersky Anti-Virus 6.0.0.303 and related security software. The flaw exists in how these drivers handle Input/Output Control (IOCTL) requests, particularly when processing Irp structures containing invalid addresses, creating a dangerous privilege escalation vector for local attackers.

The technical implementation of this vulnerability stems from inadequate input validation within the IOCTL handling mechanism of the device drivers. When a local user submits a crafted Irp structure with invalid addresses through the 0x80052110 IOCTL command, the drivers fail to properly validate the memory addresses contained within the request. This validation failure allows attackers to manipulate the driver's execution flow by providing malicious address values that can cause the system to execute arbitrary code with elevated privileges. The vulnerability operates at the kernel level, making it particularly dangerous as it bypasses user-mode security controls and directly targets the operating system's core protection mechanisms.

The operational impact of this vulnerability is severe and multifaceted. Local attackers with minimal privileges can leverage this flaw to achieve privilege escalation, potentially gaining SYSTEM-level access to affected systems. This elevation of privileges enables malicious actors to bypass all security controls implemented by the anti-virus software, including real-time protection, file scanning, and network monitoring capabilities. The vulnerability effectively undermines the security posture of systems running affected Kaspersky products, as the anti-virus software itself becomes a vector for attack rather than a protective mechanism. Additionally, the exploit can be used to install rootkits, modify system files, or establish persistent backdoors, making it particularly attractive to advanced persistent threat actors.

This vulnerability aligns with CWE-125, which describes "Out-of-bounds Read" conditions, and CWE-787, which covers "Out-of-bounds Write" scenarios, both of which are common in kernel-level buffer overflow conditions. The ATT&CK framework categorizes this vulnerability under T1068, "Exploitation for Privilege Escalation," and T1543, "Create or Modify System Process," as it enables attackers to gain elevated privileges and potentially modify system processes. Organizations should consider implementing mitigations including immediate patching of affected Kaspersky products, restricting local user privileges where possible, and monitoring for suspicious IOCTL activity. The vulnerability also highlights the importance of secure coding practices in kernel-mode drivers and demonstrates how security software itself can contain exploitable flaws that require continuous vigilance and updates to maintain effective protection against evolving threats.

Reservation

09/22/2006

Disclosure

10/20/2006

Moderation

accepted

Entry

VDB-32883

CPE

ready

Exploit

Download

EPSS

0.01258

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!