Skip to main content

Tosrfec Sys CVE-2026-35553

| EUVDEUVD-2026-21848 HIGH
Stack-based Buffer Overflow (CWE-121)
2026-04-13 jpcert GHSA-gp9q-xqfw-39jw
8.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.4 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Generated
Apr 13, 2026 - 05:26 vuln.today
Severity Changed
Apr 13, 2026 - 05:22 NVD
MEDIUM HIGH
CVSS changed
Apr 13, 2026 - 05:22 NVD
6.7 (MEDIUM) 8.4 (HIGH)
EUVD ID Assigned
Apr 13, 2026 - 05:15 euvd
EUVD-2026-21848
Analysis Generated
Apr 13, 2026 - 05:15 vuln.today
CVE Published
Apr 13, 2026 - 04:03 nvd
HIGH 8.4

DescriptionCVE.org

Bluetooth ACPI Drivers provided by Dynabook Inc. contain a stack-based buffer overflow vulnerability. An attacker may execute arbitrary code by modifying certain registry values.

AnalysisAI

Stack-based buffer overflow in Dynabook Bluetooth ACPI drivers (tosrfec.sys, drfec.sys) allows local administrators to execute arbitrary code by manipulating specific registry values. This CVSS 8.4 vulnerability requires high privileges (administrative access) but enables complete system compromise with low attack complexity. No public exploit identified at time of analysis, though the attack surface is limited to users who already possess elevated credentials.

Technical ContextAI

This vulnerability affects Dynabook Inc.'s Bluetooth ACPI drivers, specifically tosrfec.sys and drfec.sys kernel-mode components. The flaw is a CWE-121 stack-based buffer overflow, a class of memory corruption where user-controllable data exceeds allocated stack buffer boundaries. The attack vector involves modifying Windows registry values that are processed by these drivers without proper bounds checking. When the driver reads the malicious registry data, it overflows a stack buffer, allowing attackers to overwrite return addresses or other critical stack data structures. As kernel-mode drivers operate at Ring 0 with full system privileges, successful exploitation grants attackers complete control over the operating system. ACPI (Advanced Configuration and Power Interface) drivers interact with hardware power management, making them privileged components with deep system access. The registry-based attack surface is characteristic of Windows driver vulnerabilities where configuration parameters lack input validation.

RemediationAI

Apply vendor-provided security updates from Dynabook Inc. as detailed in Sharp Corporation's security advisories at https://global.sharp/corporate/info/product-security/advisory-list/2026-001/ (English) and https://corporate.jp.sharp/info/product-security/advisory-list/2026-001/ (Japanese). Consult JPCERT coordination notice at https://jvn.jp/en/vu/JVNVU96334293/ for comprehensive technical guidance and patch availability confirmation. Organizations should prioritize patching on systems where administrative access controls are weakest or where defense-in-depth protections against privilege escalation are critical. As an interim mitigation where patching is delayed, implement strict registry access controls using Windows ACLs to prevent unauthorized modification of registry keys processed by tosrfec.sys and drfec.sys drivers, though this workaround requires identifying the specific registry locations involved and may impact legitimate driver functionality. Monitor administrative account usage and registry modification events for suspicious activity targeting Bluetooth ACPI driver configuration paths.

Share

CVE-2026-35553 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy