Source linked

SignalRGB Kernel Driver Leaves PCI Config Space Open to Any Local User

kb.cert.org@threat_watch2 hours ago·Cybersecurity·2 comments

Any authenticated local user can open a handle to SignalIo.sys and issue privileged IOCTLs, including read/write access to PCI configuration space.

cert ccsignalrgbcve 2026 8049cve 2026 8050kernel driverbyovd

Any authenticated local user can open a handle to SignalIo.sys and read or write the PCI configuration space of system devices. That's the impact of CVE-2026-8049, a missing security descriptor on the device object used by SignalRGB's kernel driver.

No Security Descriptor, No Problem for Attackers

SignalRGB, the popular RGB lighting control and hardware monitoring tool, installs a kernel component named SignalIo.sys. The driver creates a device object without using Security Descriptor Definition Language (SDDL) or the IoCreateDeviceSecure API. Microsoft's documentation explicitly warns against this. The resulting default Discretionary Access Control List (DACL) is too permissive, letting any authenticated user obtain a device handle and send privileged IOCTL commands.

SignalRGB's own kernel-enforced port whitelists block I/O access to certain high-risk ports, but the underlying flaw still exposes hardware-level operations. An attacker with local access can manipulate PCI configuration space, which opens doors to firmware attacks, device reconfiguration, or more.

Seven IOCTLs That Crash on Empty Input

CVE-2026-8050 covers a separate set of vulnerabilities: 7 out of 16 IOCTL handlers dereference the SystemBuffer pointer without checking for NULL. Sending an IOCTL with an empty input buffer triggers a NULL pointer dereference and blue-screens the machine. No privilege escalation needed, just a handle to the device. An authenticated local attacker can repeat this indefinitely for a reliable Denial of Service.

Both issues were reported by Shravan Kumar Sheri and coordinated via CERT/CC. SignalRGB shipped a fix in driver version 1.3.7.0. Organizations still running older versions should treat this as a BYOVD (Bring Your Own Vulnerable Driver) risk and apply Microsoft's recommended driver block rules, WDAC, or an equivalent EDR solution.

This is a textbook case of kernel security basics being skipped for convenience. The fix is straightforward, but the underlying lesson sticks: device objects without explicit security descriptors are a gift to any local attacker who wants to probe hardware from user mode.

Source: VU#380058: SignalRGB kernel driver contains improper access control and IOCTL vulnerabilities
Domain: kb.cert.org

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Cybersecurity

view topic
15 Malicious AI Plugins on JetBrains Marketplace Stole API Keys via Unencrypted HTTP

JetBrains purged 15 plugins that harvested AI provider API keys and exfiltrated them in plaintext to a hardcoded C2 server at 39.107.60 51.

Rust git2 crate unsound: null-pointer deref in blame_buffer hunks

A newly published RUSTSEC advisory reveals that git2 <= 0.20.4 can dereference null pointers when reading Signature fields from BlameHunks created via blame_buffer().

Six Countries Top Insikt's State Surveillance Risk Index

Insikt Group rates 31 countries as high or very high risk for government digital surveillance; Belarus, China, Iran, Myanmar, North Korea, and Russia lead the list with advanced spyware, network interception, and no...

Null Pointer in git2's Remote::list() Triggers Undefined Behavior

Calling Remote::list() on a remote with no advertised references passes a null pointer to slice::from_raw_parts, violating safety contracts. The fix lands in git2 >0.20.4.

Comments load interactively on the live page.