Description
Improper input validation for some Intel(R) QAT software drivers for Windows before version 2.6 within Ring 3: User Applications may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (low), integrity (low) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.
Published: 2026-05-12
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is caused by improper input validation in Intel QAT software drivers for Windows prior to version 2.6. An unprivileged local user who is authenticated can construct malicious input that causes a crash or other failure in ring‑3 code, resulting in a denial of service. The flaw does not require delegated privileges or user interaction, and it can be exercised simply by sending the driver malformed data.

Affected Systems

Intel QAT software drivers for Windows, versions earlier than 2.6.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity, with a low impact on confidentiality and integrity but a high impact on availability. The EPSS score is not available, so the current exploitation probability is unknown; however, the vulnerability is listed as not included in KEV, suggesting no documented, active exploitation. The attack vector is inferred to be local, requiring authenticated, low‑complexity input from an unprivileged user. Successful exploitation would halt cryptographic or application services that rely on QAT, potentially affecting critical workloads.

Generated by OpenCVE AI on May 12, 2026 at 17:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Intel QAT driver to version 2.6 or later to remediate the input validation flaw.
  • If an upgrade cannot be performed promptly, disable or uninstall the vulnerable QAT driver to remove the denial‑of‑service pathway.
  • Restrict local user access to components that interact with the QAT driver and monitor system logs for abnormal service terminations.

Generated by OpenCVE AI on May 12, 2026 at 17:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 18:15:00 +0000

Type Values Removed Values Added
Title Denial of Service via Improper Input Validation in Intel QAT Windows Drivers

Tue, 12 May 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper input validation for some Intel(R) QAT software drivers for Windows before version 2.6 within Ring 3: User Applications may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (low), integrity (low) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.
Weaknesses CWE-20
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: intel

Published:

Updated: 2026-05-12T17:07:11.535Z

Reserved: 2025-12-04T04:00:32.867Z

Link: CVE-2026-20905

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T17:16:19.767

Modified: 2026-05-12T17:16:19.767

Link: CVE-2026-20905

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T18:00:12Z

Weaknesses