Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local attack against a kernel driver requiring a low-privileged local account (AV:L, PR:L), no user interaction, low complexity, with full kernel-level confidentiality, integrity, and availability impact.
Primary rating from Vendor (vuldb).
CVSS VectorVendor: vuldb
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A security vulnerability has been detected in DVDFab Virtual Drive 2.0.0.5. Impacted is an unknown function in the library dvdfabio.sys of the component Signed Kernel Driver. The manipulation leads to improper privilege management. An attack has to be approached locally. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Local privilege escalation in DVDFab Virtual Drive 2.0.0.5 allows authenticated local users to abuse improper privilege management in the signed kernel driver dvdfabio.sys to gain elevated execution within the Windows kernel. Publicly available exploit code exists and the vendor did not respond to coordinated disclosure, increasing the window of risk for affected endpoints. No CISA KEV listing has been recorded, and EPSS data was not provided in the input.
Technical ContextAI
DVDFab Virtual Drive ships a signed Windows kernel-mode driver (dvdfabio.sys) used to emulate optical media. Because the driver is signed by a trusted vendor it loads on standard Windows installations subject to driver-signature enforcement, and any improperly authorized IOCTL or interface it exposes runs in ring 0. The flaw maps to CWE-266 (Incorrect Privilege Assignment), meaning an interface intended for privileged callers does not adequately enforce the caller's privilege level, enabling a lower-privileged process to perform actions reserved for kernel or administrator context. This is the canonical 'Bring Your Own Vulnerable Driver' (BYOVD) class of issue, where the signed status of the binary is itself an attack asset.
RemediationAI
No vendor-released patch identified at time of analysis - the reporter notes DVDFab did not respond to disclosure. Until a fixed driver is published, uninstall DVDFab Virtual Drive 2.0.0.5 from systems that do not require optical-media emulation, and on systems where it must remain, restrict interactive logon and local account creation to trusted administrators since exploitation requires local access. To mitigate BYOVD reuse on systems that never had DVDFab installed, deploy the Microsoft Vulnerable Driver Blocklist (enabled by default on Windows 11 22H2+, configurable via WDAC/HVCI on older builds) and add dvdfabio.sys to custom WDAC or EDR driver-block policies; the trade-off is that any legitimate DVDFab Virtual Drive functionality will break. Monitor for kernel driver loads of dvdfabio.sys from unexpected paths or by non-DVDFab processes as a high-fidelity BYOVD indicator. Reference: https://vuldb.com/vuln/370860 and the technical write-up at https://winslow1984.com/books/cve-collection/page/dvdfab-virtual-drive-kernel-driver-dvdfabiosys-local-privilege-escalation.
Same weakness CWE-266 – Incorrect Privilege Assignment
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36690
GHSA-28g2-hhg9-hhq8