Description
VB-Audio Voicemeeter, Voicemeeter Banana, and Voicemeeter Potato (versions ending in 1.1.1.9, 2.1.1.9, and 3.1.1.9 and earlier, respectively), as well as VB-Audio Matrix and Matrix Coconut (versions ending in 1.0.2.2 and 2.0.2.2 and earlier, respectively), contain a vulnerability in their virtual audio drivers (vbvoicemeetervaio64*.sys, vbmatrixvaio64*.sys, vbaudio_vmauxvaio*.sys, vbaudio_vmvaio*.sys, and vbaudio_vmvaio3*.sys). The drivers allocate non-paged pool and map it into user space, where a length value associated with the allocation is exposed and can be modified by an unprivileged local attacker. On subsequent IOCTL handling, the corrupted length is used directly as the IoAllocateMdl length argument without adequate integrity checks before building and mapping the MDL, which can cause a kernel crash (BSoD), typically PAGE_FAULT_IN_NONPAGED_AREA. This flaw allows a local user to trigger a denial-of-service on affected Windows systems.
Published: 2026-01-22
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

VB‑Audio’s virtual audio drivers expose a length value that can be altered by a non‑privileged local user. When the modified value is later used as the argument to IoAllocateMdl without proper validation, the kernel attempts to map the user‑controlled size as a non‑paged pool MDL. This results in a system crash, typically PAGE_FAULT_IN_NONPAGED_AREA, and denies availability for the affected Windows machine.

Affected Systems

The vulnerability affects VB‑Audio Software’s Voicemeeter Standard versions ending in 1.1.1.9 or earlier, Voicemeeter Banana versions ending in 2.1.1.9 or earlier, Voicemeeter Potato versions ending in 3.1.1.9 or earlier, Matrix versions ending in 1.0.2.2 or earlier, and Matrix Coconut versions ending in 2.0.2.2 or earlier. All products run on Microsoft Windows as audio drivers.

Risk and Exploitability

The CVSS base score of 6.8 indicates medium severity, and the EPSS score of less than 1% shows a very low likelihood of real‑world exploitation at the time of analysis. The flaw is not listed in the CISA KEV catalog. A local unprivileged user can trigger the crash by interacting with the vulnerable driver; no network or elevated privileges are required. Consequently, the risk is confined to local systems where the affected drivers are installed, but a single exploit causes an irreversible denial of service until the system is rebooted or patched.

Generated by OpenCVE AI on April 18, 2026 at 03:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update all VB‑Audio Voicemeeter and Matrix drivers to the latest release from the vendor, ensuring the fixed driver binaries are installed on each affected machine.
  • Verify that the driver files are located in the Windows system folder and possess the default read‑only attribute so that ordinary users cannot modify or replace them.
  • Configure Device Guard or AppLocker to block unsigned or modified drivers from loading, limiting the window in which an unprivileged attacker could tamper with the driver’s metadata.

Generated by OpenCVE AI on April 18, 2026 at 03:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Twistedmatrix
Twistedmatrix twistedweb
CPEs cpe:2.3:a:twistedmatrix:twistedweb:*:*:*:*:*:*:*:*
Vendors & Products Twistedmatrix
Twistedmatrix twistedweb

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Vb-audio Software
Vb-audio Software matrix
Vb-audio Software matrix Coconut
Vb-audio Software voicemeeter
Vb-audio Software voicemeeter Banana
Vb-audio Software voicemeeter Potato
Vendors & Products Vb-audio Software
Vb-audio Software matrix
Vb-audio Software matrix Coconut
Vb-audio Software voicemeeter
Vb-audio Software voicemeeter Banana
Vb-audio Software voicemeeter Potato

Fri, 23 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
References

Thu, 22 Jan 2026 16:30:00 +0000

Type Values Removed Values Added
Description VB-Audio Voicemeeter, Voicemeeter Banana, and Voicemeeter Potato (versions ending in 1.1.1.9, 2.1.1.9, and 3.1.1.9 and earlier, respectively), as well as VB-Audio Matrix and Matrix Coconut (versions ending in 1.0.2.2 and 2.0.2.2 and earlier, respectively), contain a vulnerability in their virtual audio drivers (vbvoicemeetervaio64*.sys, vbmatrixvaio64*.sys, vbaudio_vmauxvaio*.sys, vbaudio_vmvaio*.sys, and vbaudio_vmvaio3*.sys). The drivers allocate non-paged pool and map it into user space, where a length value associated with the allocation is exposed and can be modified by an unprivileged local attacker. On subsequent IOCTL handling, the corrupted length is used directly as the IoAllocateMdl length argument without adequate integrity checks before building and mapping the MDL, which can cause a kernel crash (BSoD), typically PAGE_FAULT_IN_NONPAGED_AREA. This flaw allows a local user to trigger a denial-of-service on affected Windows systems.
Title VB-Audio Voicemeeter & Matrix Drivers DoS via Corrupted IoAllocateMdl Length
Weaknesses CWE-823
References
Metrics cvssV4_0

{'score': 6.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Twistedmatrix Twistedweb
Vb-audio Software Matrix Matrix Coconut Voicemeeter Voicemeeter Banana Voicemeeter Potato
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:30:26.672Z

Reserved: 2026-01-15T18:42:20.939Z

Link: CVE-2026-23764

cve-icon Vulnrichment

Updated: 2026-01-23T14:33:26.512Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:37.757

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-23764

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T04:00:08Z

Weaknesses