Description
The Performance Library component of Gigabyte Control Center has an Insecure Deserialization vulnerability. Authenticated local attackers can send a malicious serialized payload to the EasyTune Engine service, resulting in privilege escalation.
Published: 2026-03-30
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

The Gigabyte Performance Library component of the Control Center performs deserialization of untrusted data in an insecure manner. An attacker with local access can craft a malicious serialized payload and send it to the EasyTune Engine service; when processed, the payload can trigger arbitrary code execution, effectively elevating the attacker’s privileges on the affected system.

Affected Systems

All installations of Gigabyte Control Center that include the Performance Library and run a version earlier than 25.12.31.01 are affected. Any system where the EasyTune Engine service is active is vulnerable. These installations typically reside on Windows machines used in environments with Gigabyte hardware or software bundles.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.5, indicating high severity, while the EPSS score is less than 1%, implying a low probability of current exploitation. It is not listed in the CISA KEV catalog. Attackers must be authenticated locally to send the malicious payload, so the attack vector is local. Successful exploitation would enable the attacker to gain elevated privileges, potentially compromising the entire system.

Generated by OpenCVE AI on April 8, 2026 at 20:41 UTC.

Remediation

Vendor Solution

Please update to version 25.12.31.01 or later.

OpenCVE Recommended Actions

  • Verify the installed version of Gigabyte Control Center and the Performance Library component.
  • Download and install update version 25.12.31.01 or later from Gigabyte’s official resources.
  • Restart the system or reload the EasyTune Engine service to ensure the update takes effect.

Generated by OpenCVE AI on April 8, 2026 at 20:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gigabyte:performance_library:*:*:*:*:*:*:*:*

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Gigabyte
Gigabyte performance Library
Vendors & Products Gigabyte
Gigabyte performance Library

Mon, 30 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 08:15:00 +0000

Type Values Removed Values Added
Description The Performance Library component of Gigabyte Control Center has an Insecure Deserialization vulnerability. Authenticated local attackers can send a malicious serialized payload to the EasyTune Engine service, resulting in privilege escalation.
Title GIGABYTE|Performance Library - Insecure Deserialization
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Gigabyte Performance Library
cve-icon MITRE

Status: PUBLISHED

Assigner: twcert

Published:

Updated: 2026-03-30T15:08:37.998Z

Reserved: 2026-03-19T02:53:09.032Z

Link: CVE-2026-4416

cve-icon Vulnrichment

Updated: 2026-03-30T15:08:28.901Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-30T08:16:18.360

Modified: 2026-04-08T19:23:47.020

Link: CVE-2026-4416

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:29:28Z

Weaknesses