Skip to main content

Portwell Engineering Toolkits CVE-2026-3437

CRITICAL
Buffer Overflow (CWE-119)
2026-03-03 ics-cert@hq.dhs.gov
9.3
CVSS 4.0 · Vendor: hq
Share

Severity by source

Vendor (hq) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.8 HIGH

Local authenticated user abuses a driver IOCTL for arbitrary kernel R/W (AV:L/PR:L/AC:L), yielding full host compromise; scope unchanged as impact stays within the OS, so C/I/A all High.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (hq).

CVSS VectorVendor: hq

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
Analysis Updated
Jun 25, 2026 - 16:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 25, 2026 - 16:27 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 25, 2026 - 16:22 vuln.today
cvss_changed
Severity Changed
Jun 25, 2026 - 16:22 NVD
HIGH CRITICAL
CVSS changed
Jun 25, 2026 - 16:22 NVD
7.8 (HIGH) 9.3 (CRITICAL)
Analysis Generated
Mar 12, 2026 - 22:05 vuln.today
CVE Published
Mar 03, 2026 - 18:16 nvd
HIGH 7.8

DescriptionCVE.org

An Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Portwell Engineering Toolkits version 4.8.2 could allow a local authenticated attacker to read and write to arbitrary memory via the Portwell Engineering Toolkits driver. Successful exploitation of this vulnerability could result in escalation of privileges or cause a denial-of-service condition.

AnalysisAI

Local privilege escalation in Portwell Engineering Toolkits 4.8.2 stems from a kernel driver that exposes unchecked arbitrary memory read/write primitives to authenticated users. An attacker already logged onto an affected industrial/embedded host can corrupt kernel memory to elevate to SYSTEM-level control or crash the machine. No public exploit has been identified and the EPSS score is very low (0.02%, 3rd percentile), indicating no current evidence of opportunistic exploitation; this was reported through CISA's ICS-CERT rather than via observed in-the-wild activity.

Technical ContextAI

The flaw is classed as CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and lives in the kernel-mode driver shipped with Portwell Engineering Toolkits - utility/management software typically bundled with Portwell industrial PCs, single-board computers, and embedded platforms. Engineering/management drivers like this commonly expose IOCTL handlers that accept user-supplied addresses or lengths; without proper bounds and pointer validation, those handlers become a confused-deputy primitive allowing a low-privileged caller to direct the driver to read or write at arbitrary kernel virtual addresses. The single affected CPE is cpe:2.3:a:portwell:engineering_toolkits:4.8.2, so the vulnerability is scoped to that application/driver package rather than the underlying OS.

RemediationAI

Patch available per vendor advisory - consult Portwell advisory PWS-2026-3437 (https://software.portwell.tw/security-advisory/PWS-2026-3437.html) and CISA ICSA-26-062-04 (https://www.cisa.gov/news-events/ics-advisories/icsa-26-062-04) for the fixed release and apply it to all hosts running Engineering Toolkits 4.8.2; an exact patched version number is not present in the provided data, so verify the target version directly from the vendor advisory before deploying. Where immediate patching is not possible, reduce exposure by uninstalling or disabling the Engineering Toolkits driver if it is not operationally required (trade-off: loss of the toolkit's hardware management/configuration functions), and restrict interactive and administrative logon to affected hosts to a minimal set of trusted operators since exploitation requires local authenticated access (trade-off: tighter access control may slow legitimate maintenance). Standard kernel-driver hardening such as enforcing driver code-signing/blocklisting the vulnerable driver version also limits abuse until the fixed build is in place.

Share

CVE-2026-3437 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy