CVE-2026-36425 in AppRemover Driverinfo

Summary

by MITRE • 07/17/2026

An issue in OPSWAT AppRemover Driver (ardrv.sys) v2017.10.02.1551 and earlier in IOCTL handler 0x2420031. Any local user can open the device and send process termination requests without privilege validation.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/17/2026

The vulnerability exists within the OPSWAT AppRemover Driver component known as ardrv.sys which is part of version 2017.10.02.1551 and earlier releases. This driver implements a device control interface that exposes an IOCTL handler at address 0x2420031, creating an access control flaw that allows unprivileged local users to manipulate process termination requests through the device interface. The root cause stems from insufficient privilege validation mechanisms within the driver's IOCTL handling routine, specifically failing to verify whether the calling process possesses adequate security permissions before executing sensitive operations.

The technical implementation of this vulnerability manifests as a lack of proper access control checks during the processing of the IOCTL 0x2420031 command. When a local user opens the device handle and sends a termination request through this interface, the driver does not validate whether the requesting process has administrative privileges or appropriate security context to perform such operations. This design flaw creates an arbitrary code execution vector where any authenticated user can potentially terminate processes that they normally wouldn't have permission to affect. The vulnerability directly relates to CWE-284 which describes inadequate access control mechanisms, and represents a privilege escalation issue under the ATT&CK framework as it allows local users to perform actions beyond their normal access rights.

The operational impact of this vulnerability extends beyond simple process termination capabilities, creating potential system stability issues and security concerns for environments where multiple user accounts exist on the same system. An attacker with local access can leverage this weakness to terminate critical system processes, disrupt services, or potentially escalate privileges further by targeting specific processes that may have elevated rights. The implications are particularly concerning in enterprise environments where users may not require administrative privileges but could exploit this vulnerability to gain unauthorized control over system operations. This flaw undermines the principle of least privilege and creates opportunities for denial of service attacks or privilege escalation attempts that could lead to complete system compromise.

Mitigation strategies should focus on immediate driver updates from OPSWAT to address the privilege validation issue, though organizations may need to implement temporary workarounds such as restricting access to the device interface through Windows file system permissions or registry modifications. System administrators should also consider monitoring for unusual process termination patterns that could indicate exploitation attempts. The most effective long-term solution involves updating to the latest version of the AppRemover driver where proper privilege validation has been implemented. Additionally, organizations should conduct security assessments to identify other similar vulnerabilities in third-party kernel drivers and implement comprehensive endpoint protection solutions that can detect anomalous device access patterns. Network segmentation and user access controls should also be reviewed to minimize potential exploitation impact if the vulnerability cannot be immediately patched.

Responsible

MITRE

Reservation

04/06/2026

Disclosure

07/17/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Do you know our Splunk app?

Download it now for free!