Description
VB-Audio Matrix and Matrix Coconut (versions ending in 1.0.2.2 and 2.0.2.2 and earlier, respectively), contain a local privilege escalation vulnerability in the VBMatrix VAIO virtual audio driver (vbmatrixvaio64*_win10.sys). The driver allocates a 128-byte non-paged pool buffer and, upon receiving IOCTL 0x222060, maps it into user space using an MDL and MmMapLockedPagesSpecifyCache. Because the allocation size is not page-aligned, the mapping exposes the entire 0x1000-byte kernel page containing the buffer plus adjacent non-paged pool allocations with read/write permissions. An unprivileged local attacker can open a device handle (using the required 0x800 attribute flag), invoke the IOCTL to obtain the mapping, and then read or modify live kernel objects and pointers present on that page. This enables bypass of KASLR, arbitrary kernel memory read/write within the exposed page, corruption of kernel objects, and escalation to SYSTEM.
Published: 2026-01-22
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Local Privilege Escalation via kernel memory exposure
Action: Apply Patch
AI Analysis

Impact

VB‑Audio Matrix and Matrix Coconut drivers contain a flaw in the vbmatrixvaio64.sys kernel device. The driver allocates a 128‑byte buffer in non‑paged pool and, when an attacker sends IOCTL 0x222060, maps that buffer into user space with MmMapLockedPagesSpecifyCache. Because the allocation size is not page aligned, the mapping exposes the entire 4 KiB kernel page, leaking adjacent non‑paged pool objects. An attacker with local access can read or write kernel memory on that page, corrupt kernel objects, bypass KASLR, and ultimately gain SYSTEM privileges. This is an improper access control weakness (CWE‑668).

Affected Systems

VB‑Audio Software Matrix (versions ending in 1.0.2.2 and earlier) and Matrix Coconut (versions ending in 2.0.2.2 and earlier) on Windows are affected. The vulnerability is limited to the driver vbmatrixvaio64*_win10.sys.

Risk and Exploitability

The CVSS score of 8.5 indicates high severity, but the EPSS score is less than 1 %, showing a very low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires local execution, the ability to open the driver with the 0x800 flag, and to invoke the specific IOCTL. Once executed, the kernel page is mapped into user space, providing arbitrary read/write to that page, allowing manipulation of kernel pointers, corruption of objects, and escalation to SYSTEM.

Generated by OpenCVE AI on April 16, 2026 at 17:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade VB‑Audio Matrix and Matrix Coconut to a version newer than 1.0.2.2 and 2.0.2.2.
  • Disable the VB‑Audio Matrix drivers if the functionality is not required for the system.
  • Monitor local processes for unusual device access and enforce the principle of least privilege for driver installation.

Generated by OpenCVE AI on April 16, 2026 at 17:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Twistedmatrix
Twistedmatrix twistedweb
CPEs cpe:2.3:a:twistedmatrix:twistedweb:*:*:*:*:*:*:*:*
Vendors & Products Twistedmatrix
Twistedmatrix twistedweb

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Vb-audio Software
Vb-audio Software matrix
Vb-audio Software matrix Coconut
Vendors & Products Vb-audio Software
Vb-audio Software matrix
Vb-audio Software matrix Coconut

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 22 Jan 2026 16:30:00 +0000

Type Values Removed Values Added
Description VB-Audio Matrix and Matrix Coconut (versions ending in 1.0.2.2 and 2.0.2.2 and earlier, respectively), contain a local privilege escalation vulnerability in the VBMatrix VAIO virtual audio driver (vbmatrixvaio64*_win10.sys). The driver allocates a 128-byte non-paged pool buffer and, upon receiving IOCTL 0x222060, maps it into user space using an MDL and MmMapLockedPagesSpecifyCache. Because the allocation size is not page-aligned, the mapping exposes the entire 0x1000-byte kernel page containing the buffer plus adjacent non-paged pool allocations with read/write permissions. An unprivileged local attacker can open a device handle (using the required 0x800 attribute flag), invoke the IOCTL to obtain the mapping, and then read or modify live kernel objects and pointers present on that page. This enables bypass of KASLR, arbitrary kernel memory read/write within the exposed page, corruption of kernel objects, and escalation to SYSTEM.
Title VB-Audio Matrix Drivers Local Privilege Escalation via Kernel Memory Exposure
Weaknesses CWE-668
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Twistedmatrix Twistedweb
Vb-audio Software Matrix Matrix Coconut
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:30:25.869Z

Reserved: 2026-01-15T18:42:20.939Z

Link: CVE-2026-23763

cve-icon Vulnrichment

Updated: 2026-01-22T18:25:16.842Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:37.620

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-23763

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T18:00:11Z

Weaknesses