Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local vector requiring only a low-privileged session (AV:L/PR:L) and no interaction; arbitrary kernel memory access yields full host compromise (C/I/A:H) with no scope change.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
MSI Feature Manager contains a local privilege escalation vulnerability in the KernCoreLib64.sys kernel driver that allows any locally logged-on user to perform arbitrary physical memory read/write and unrestricted I/O port operations by accessing exposed IOCTL handlers without administrator privileges. Attackers can exploit the accessible device object through IOCTL handlers to manipulate kernel objects, tamper with kernel-mode callbacks, bypass Protected Process Light protections, and disable security software.
AnalysisAI
Local privilege escalation in MSI Feature Manager (GameGaraj) stems from its bundled KernCoreLib64.sys kernel driver exposing IOCTL handlers that any logged-on user can reach without administrator rights, granting arbitrary physical memory read/write and unrestricted I/O port access. Any low-privileged user on an affected Windows host can leverage this to manipulate kernel objects, tamper with kernel callbacks, bypass Protected Process Light (PPL), and disable endpoint security. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the KernCoreLib64.sys driver (installed with MSI Feature Manager / GameGaraj) to be present and loaded on the target, and the attacker must already have an interactive or code-execution foothold as any locally logged-on, low-privileged user (PR:L, AV:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base of 8.5 (High) is driven by AV:L/AC:L/AT:N/PR:L/UI:N with full VC:H/VI:H/VA:H impact and no scope change to other systems (SC:N/SI:N/SA:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who already has a standard (non-admin) foothold on a Windows workstation running MSI Feature Manager - for example via phishing, a stolen low-privileged credential, or a malicious insider - opens a handle to the KernCoreLib64.sys device object and issues the exposed IOCTLs to read/write physical memory. Using the public PoC from github.com/readmsr/MSI_FeatureManager_CVE, they patch their own process token to SYSTEM and clear kernel callback registrations to blind EDR, achieving full SYSTEM control and defense evasion. … |
| Remediation | No vendor-released patched version is identified in the available data, so the primary compensating control is to remove or block the vulnerable driver rather than rely on an upgrade. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems running MSI Feature Manager (GameGaraj) and assess which users have local access. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42053
GHSA-9cv5-2h9v-98p5