Skip to main content

MSI Feature Manager CVE-2026-57851

| EUVDEUVD-2026-42053 HIGH
Exposed IOCTL with Insufficient Access Control (CWE-782)
2026-07-07 VulnCheck GHSA-9cv5-2h9v-98p5
8.5
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.5 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.8 HIGH

Local vector requiring only a low-privileged session (AV:L/PR:L) and no interaction; arbitrary kernel memory access yields full host compromise (C/I/A:H) with no scope change.

3.1 AV:L/AC:L/PR:L/UI:N/S:N/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 07, 2026 - 17:15 vuln.today

DescriptionCVE.org

MSI Feature Manager contains a local privilege escalation vulnerability in the KernCoreLib64.sys kernel driver that allows any locally logged-on user to perform arbitrary physical memory read/write and unrestricted I/O port operations by accessing exposed IOCTL handlers without administrator privileges. Attackers can exploit the accessible device object through IOCTL handlers to manipulate kernel objects, tamper with kernel-mode callbacks, bypass Protected Process Light protections, and disable security software.

AnalysisAI

Local privilege escalation in MSI Feature Manager (GameGaraj) stems from its bundled KernCoreLib64.sys kernel driver exposing IOCTL handlers that any logged-on user can reach without administrator rights, granting arbitrary physical memory read/write and unrestricted I/O port access. Any low-privileged user on an affected Windows host can leverage this to manipulate kernel objects, tamper with kernel callbacks, bypass Protected Process Light (PPL), and disable endpoint security. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain low-priv local user session
Delivery
Open handle to KernCoreLib64.sys device
Exploit
Issue exposed IOCTL for physical memory write
Execution
Patch process token / kernel callbacks
Persist
Bypass PPL and disable EDR
Impact
Execute as SYSTEM

Vulnerability AssessmentAI

Exploitation Exploitation requires the KernCoreLib64.sys driver (installed with MSI Feature Manager / GameGaraj) to be present and loaded on the target, and the attacker must already have an interactive or code-execution foothold as any locally logged-on, low-privileged user (PR:L, AV:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base of 8.5 (High) is driven by AV:L/AC:L/AT:N/PR:L/UI:N with full VC:H/VI:H/VA:H impact and no scope change to other systems (SC:N/SI:N/SA:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who already has a standard (non-admin) foothold on a Windows workstation running MSI Feature Manager - for example via phishing, a stolen low-privileged credential, or a malicious insider - opens a handle to the KernCoreLib64.sys device object and issues the exposed IOCTLs to read/write physical memory. Using the public PoC from github.com/readmsr/MSI_FeatureManager_CVE, they patch their own process token to SYSTEM and clear kernel callback registrations to blind EDR, achieving full SYSTEM control and defense evasion. …
Remediation No vendor-released patched version is identified in the available data, so the primary compensating control is to remove or block the vulnerable driver rather than rely on an upgrade. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running MSI Feature Manager (GameGaraj) and assess which users have local access. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57851 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy