Pegatron Tdelo64.sys CVE-2026-14961
MEDIUMSeverity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Arbitrary kernel write enables SYSTEM token escalation (S:C, I:H, A:H); device interface accessible without any privileges (PR:N).
Primary rating from Vendor (certcc).
CVSS VectorVendor: certcc
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Pegatron Tdelo64.sys exposes a privileged device interface, \\.\TdeIo, that fails to properly restrict access to sensitive IOCTL functionality. The driver's IOCTL dispatcher does not validate caller privileges or verify user-supplied kernel memory addresses before performing memory operations. By sending crafted requests to IOCTL, a local attacker can achieve arbitrary kernel memory read and write operations, leading to privilege escalation to NT AUTHORITY\SYSTEM, security product bypass, credential theft, or complete system compromise.
AnalysisAI
Privilege escalation to NT AUTHORITY\SYSTEM is achievable on Windows systems hosting the Pegatron Tdelo64.sys kernel-mode driver, which exposes the \\.\TdeIo device interface without enforcing caller privilege checks or validating user-supplied kernel memory addresses in its IOCTL dispatcher. Any local user can open the device interface and send crafted IOCTL requests to perform arbitrary kernel memory read and write operations, enabling full system compromise including credential theft and security product bypass. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The Pegatron Tdelo64.sys driver must be installed and actively loaded on the target Windows system, and the \\.\TdeIo device interface must be reachable by non-privileged users - the vulnerability exists precisely because this access restriction is absent. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 base score of 6.2 with vector AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N is materially inconsistent with the described impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local attacker with a standard user account on a Windows system running the Pegatron Tdelo64.sys driver opens the \\.\TdeIo device interface, which requires no elevated privileges, then sends a crafted IOCTL request containing a controlled kernel memory address. The driver performs a write operation at the attacker-supplied address without validation, enabling the attacker to overwrite the EPROCESS security token of their own process, escalating to NT AUTHORITY\SYSTEM and subsequently disabling endpoint security callbacks before conducting credential theft or lateral movement. … |
| Remediation | Consult the CERT/CC advisory at https://kb.cert.org/vuls/id/529388 for official vendor guidance and any available patch. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Tdelo64 Sys
View allSame weakness CWE-20 – Improper Input Validation
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today