Portwell Engineering Toolkits CVE-2026-3437
CRITICALSeverity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local authenticated user abuses a driver IOCTL for arbitrary kernel R/W (AV:L/PR:L/AC:L), yielding full host compromise; scope unchanged as impact stays within the OS, so C/I/A all High.
Primary rating from Vendor (hq).
CVSS VectorVendor: hq
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
An Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Portwell Engineering Toolkits version 4.8.2 could allow a local authenticated attacker to read and write to arbitrary memory via the Portwell Engineering Toolkits driver. Successful exploitation of this vulnerability could result in escalation of privileges or cause a denial-of-service condition.
AnalysisAI
Local privilege escalation in Portwell Engineering Toolkits 4.8.2 stems from a kernel driver that exposes unchecked arbitrary memory read/write primitives to authenticated users. An attacker already logged onto an affected industrial/embedded host can corrupt kernel memory to elevate to SYSTEM-level control or crash the machine. No public exploit has been identified and the EPSS score is very low (0.02%, 3rd percentile), indicating no current evidence of opportunistic exploitation; this was reported through CISA's ICS-CERT rather than via observed in-the-wild activity.
Technical ContextAI
The flaw is classed as CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and lives in the kernel-mode driver shipped with Portwell Engineering Toolkits - utility/management software typically bundled with Portwell industrial PCs, single-board computers, and embedded platforms. Engineering/management drivers like this commonly expose IOCTL handlers that accept user-supplied addresses or lengths; without proper bounds and pointer validation, those handlers become a confused-deputy primitive allowing a low-privileged caller to direct the driver to read or write at arbitrary kernel virtual addresses. The single affected CPE is cpe:2.3:a:portwell:engineering_toolkits:4.8.2, so the vulnerability is scoped to that application/driver package rather than the underlying OS.
RemediationAI
Patch available per vendor advisory - consult Portwell advisory PWS-2026-3437 (https://software.portwell.tw/security-advisory/PWS-2026-3437.html) and CISA ICSA-26-062-04 (https://www.cisa.gov/news-events/ics-advisories/icsa-26-062-04) for the fixed release and apply it to all hosts running Engineering Toolkits 4.8.2; an exact patched version number is not present in the provided data, so verify the target version directly from the vendor advisory before deploying. Where immediate patching is not possible, reduce exposure by uninstalling or disabling the Engineering Toolkits driver if it is not operationally required (trade-off: loss of the toolkit's hardware management/configuration functions), and restrict interactive and administrative logon to affected hosts to a minimal set of trusted operators since exploitation requires local authenticated access (trade-off: tighter access control may slow legitimate maintenance). Standard kernel-driver hardening such as enforcing driver code-signing/blocklisting the vulnerable driver version also limits abuse until the fixed build is in place.
Same weakness CWE-119 – Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today