CVE-2026-20717 - Vulnerability Details

- Denial of Service in Intel QAT Drivers via Improper Input Validation

Description

Improper input validation for some Intel(R) QAT software drivers for Windows before version 1.13 within Ring 3: User Applications may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (low), integrity (low) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.

Published: 2026-05-12

Score: 6.9 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

Intel QAT software drivers for Windows before version 1.13 contain an improper input validation that can be exploited by a local, authenticated user to trigger a denial of service. The flaw resides in Ring 3 code and does not require user interaction or elevated privileges. When the vulnerability is successfully triggered, system availability is disrupted, while confidentiality and integrity remain unaffected.

Affected Systems

All Windows systems that employ Intel QAT drivers prior to version 1.13 are impacted. The drivers are installed as part of the Intel QuickAssist Technology (QAT) software and are used by applications that require accelerated cryptographic or compression operations.

Risk and Exploitability

The CVSS score of 6.9 labels the vulnerability as moderate. EPSS information is not available and the flaw is not listed in CISA’s KEV catalog, indicating lower observed exploitation activity. The attack vector is local. An adversary must be authenticated on the target machine, but no special internal knowledge is required; the attack complexity is low. Successful exploitation would cause a local denial of service, limiting the impact to the compromised user’s system alone, with no direct effect on confidentiality or integrity.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

Intel(R) QAT software drivers for Windows

unaffected

Version	Status	Constraints
`before version 1.13`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Intel QAT drivers to version 1.13 or later, as released by Intel for Windows
Configure access control lists so that only privileged administrators can load or interact with the QAT driver modules
Enable and monitor Windows Event Log source for Service Control Manager to track driver load failures or crashes, investigating any repeated QAT driver crashes as potential exploitation attempts

Generated by OpenCVE AI on May 12, 2026 at 18:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01387.html

History

Tue, 12 May 2026 18:45:00 +0000

Type	Values Removed	Values Added
Title		Denial of Service in Intel QAT Drivers via Improper Input Validation

Tue, 12 May 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		Improper input validation for some Intel(R) QAT software drivers for Windows before version 1.13 within Ring 3: User Applications may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (low), integrity (low) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.
Weaknesses		CWE-20
References		https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01387.html
Metrics		cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: intel

Published: 2026-05-12T16:34:23.835Z

Updated: 2026-05-12T17:04:15.847Z

Reserved: 2025-12-09T04:00:18.741Z

Link: CVE-2026-20717

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-12T17:16:15.387

Modified: 2026-05-12T17:16:15.387

Link: CVE-2026-20717

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-12T18:30:22Z

Weaknesses

CWE-20

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object