CVE-2026-14961 in Tdelo64.sysinfo

Summary

by MITRE • 07/15/2026

Pegatron `Tdelo64.sys` exposes a privileged device interface, `\\.\TdeIo`, that fails to properly restrict access to sensitive IOCTL functionality. The driver's IOCTL dispatcher does not validate caller privileges or verify user-supplied kernel memory addresses before performing memory operations. By sending crafted requests to IOCTL, a local attacker can achieve arbitrary kernel memory read and write operations, leading to privilege escalation to `NT AUTHORITY\SYSTEM`, security product bypass, credential theft, or complete system compromise.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/15/2026

The vulnerability in Pegatron's Tdelo64.sys driver represents a critical privilege escalation flaw that undermines the fundamental security boundaries of Windows operating systems. This driver exposes a device interface at \\.\TdeIo that lacks proper access control mechanisms, creating an attack surface where unprivileged local users can exploit kernel-level functionality. The vulnerability stems from insufficient input validation within the IOCTL dispatcher implementation, which fails to enforce mandatory access controls and validate caller credentials before executing sensitive operations.

The technical flaw manifests through improper privilege checking and memory validation within the driver's command processing routine. When legitimate IOCTL requests are received, the driver does not perform adequate verification of the calling process's security context or validate that user-supplied memory addresses are properly bounded and accessible. This absence of privilege validation creates a direct pathway for malicious code to escalate privileges from standard user level to kernel level execution. The lack of proper address space validation also enables attackers to manipulate kernel memory directly through crafted IOCTL parameters, potentially corrupting critical system structures or injecting malicious code.

The operational impact of this vulnerability extends far beyond simple privilege escalation, as it provides attackers with complete control over the target system's kernel memory space. Local adversaries can leverage this capability to read arbitrary kernel memory locations, potentially extracting sensitive information such as credentials stored in memory, kernel data structures, or encryption keys used by security products. The ability to perform arbitrary write operations enables sophisticated attacks including hooking system calls, modifying security policies, or disabling protective mechanisms like Windows Defender or other endpoint protection solutions. This capability fundamentally undermines the integrity and confidentiality guarantees that operating systems provide to users.

Mitigation strategies must address both immediate operational concerns and long-term architectural improvements to prevent similar vulnerabilities from emerging in device drivers. System administrators should immediately disable or uninstall affected Pegatron drivers until vendor patches are available, while implementing strict access controls on device interfaces through group policy configurations. Security monitoring should focus on detecting unauthorized access attempts to kernel-level interfaces and unusual memory access patterns that might indicate exploitation attempts. The vulnerability aligns with CWE-284 (Improper Access Control) and CWE-122 (Heap-based Buffer Overflow), representing a classic case of insufficient privilege checking combined with unsafe memory operations. From an attack framework perspective, this vulnerability maps to ATT&CK technique T1068 (Local Privilege Escalation) and T1547.001 (Registry Run Keys/Startup Folder), as attackers can establish persistence through kernel-level modifications that bypass traditional user-mode protections. The underlying issue demonstrates the critical importance of applying the principle of least privilege at all levels of system operation, particularly within kernel-mode drivers where security failures have maximum impact on overall system security posture.

Responsible

Certcc

Reservation

07/07/2026

Disclosure

07/15/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!