CVE-2026-1880 - Vulnerability Details

- Privilege Escalation via DriverHub Update Process

Description

An Incorrect Permission Assignment for Critical Resource vulnerability in the ASUS DriverHub update process allows privilege escalation due to improper protection of required execution resources during the validation phase, permitting a local user to make unprivileged modifications. This allows the altered resource to pass system checks and be executed with elevated privileges upon a user-initiated update.
Refer to the 'Security Update for ASUS DriverHub' section on the ASUS Security Advisory for more information.

Published: 2026-04-16

Score: 5.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

During the ASUS DriverHub update process, an incorrect permission assignment permits a local user to modify a critical resource protected by elevated privileges. The altered resource bypasses system checks and executes with higher privileges when a user initiates an update. This flaw enables an attacker who can run DriverHub on the host to gain non‑privileged upgrades that run under elevated rights, effectively compromising the entire system without requiring remote exploitation.

Affected Systems

All ASUS DriverHub installations are potentially vulnerable. The advisory does not specify impacted versions; any existing installation that has not applied the security update can be affected. No additional vendor product absence is noted.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity, and the EPSS score is not available, so expected exploitation frequency is unknown. The flaw requires local user access to execute DriverHub and to initiate an update. If an attacker can manipulate the update package, they may achieve privilege escalation at the time of the update. The vulnerability is not listed in CISA’s KEV catalog, and no advance warning or public exploitation evidence is documented at this time.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

ASUS

DriverHub

unaffected

Version	Status	Constraints
`0`	affected	< 1.0.6.12

No data.

Vendor Product Confidence Versions

Asus

Driverhub

100%

Version	Status	Scheme	Platform
`[0,1.0.6.12)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Install the ASUS DriverHub security update released by ASUS
Restrict local user permissions to prevent modification of DriverHub’s critical resource directories
Configure the system to run DriverHub updates with minimum privileges and enable integrity monitoring on the executables

Generated by OpenCVE AI on April 16, 2026 at 09:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Local

Attack Complexity High

Privileges Required Low

Attack Requirements Present

User Interaction Passive

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00006.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://www.asus.com/security-advisory

History

Thu, 16 Apr 2026 13:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 16 Apr 2026 09:30:00 +0000

Type	Values Removed	Values Added
Title		Privilege Escalation via DriverHub Update Process

Thu, 16 Apr 2026 02:45:00 +0000

Type	Values Removed	Values Added
Description		An Incorrect Permission Assignment for Critical Resource vulnerability in the ASUS DriverHub update process allows privilege escalation due to improper protection of required execution resources during the validation phase, permitting a local user to make unprivileged modifications. This allows the altered resource to pass system checks and be executed with elevated privileges upon a user-initiated update. Refer to the 'Security Update for ASUS DriverHub' section on the ASUS Security Advisory for more information.
First Time appeared		Asus Asus driverhub
Weaknesses		CWE-367
CPEs		cpe:2.3:a:asus:driverhub::::::::
Vendors & Products		Asus Asus driverhub
References		https://www.asus.com/security-advisory
Metrics		cvssV4_0 `{'score': 5.4, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`

Subscriptions

Asus Driverhub

MITRE

Status: PUBLISHED

Assigner: ASUS

Published: 2026-04-16T02:00:36.112Z

Updated: 2026-04-16T12:31:34.003Z

Reserved: 2026-02-04T08:24:34.633Z

Link: CVE-2026-1880

Vulnrichment

Updated: 2026-04-16T12:22:15.901Z

NVD

Status : Awaiting Analysis

Published: 2026-04-16T03:16:25.857

Modified: 2026-04-17T15:17:00.957

Link: CVE-2026-1880

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T09:15:30Z

Weaknesses

CWE-367

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Attack Requirements Present

User Interaction Passive

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object