Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local standard-user access (AV:L, PR:L) reliably yields arbitrary physical-memory read/write across the kernel boundary (S:C), giving full C/I/A including crash-induced availability loss.
Primary rating from Vendor (cisa-cg).
CVSS VectorVendor: cisa-cg
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
FluxInk (formerly Sunia SPB Peripheral) Color Management Driver (TcnPeripheral64.sys) 1.0.7.2 allows local privilege escalation for a standard user account via arbitrary physical memory mapping at \Device\PhysicalMemory. Fixed in version 1.0.7.6. The fixed driver is currently available in the Windows 11 25H2 HLK (Hardware Lab Kit). The fixed driver may be available through Windows Update or from Lenovo directly.
AnalysisAI
Local privilege escalation in the FluxInk (formerly Sunia SPB Peripheral) Color Management Driver TcnPeripheral64.sys version 1.0.7.2 lets a standard user map arbitrary physical memory via the \Device\PhysicalMemory object and gain kernel-level control. The flaw affects Lenovo systems shipping this signed color-management driver and is fixed in version 1.0.7.6. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires local code execution as an authenticated standard user (CVSS PR:L) on a system where the FluxInk/Sunia Color Management Driver TcnPeripheral64.sys version 1.0.7.2 is installed and its device object is accessible. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | This is a genuine, high-priority local escalation on affected hosts. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A standard user (or malware already running as an unprivileged user) opens the TcnPeripheral64.sys device interface and requests a mapping of \Device\PhysicalMemory, then uses the resulting arbitrary read/write over physical RAM to patch its own process token or kernel structures and become SYSTEM. Public POC code (github.com/b3s3da/TcnPeripheral64_PoC) demonstrates the primitive, making weaponization straightforward. … |
| Remediation | Vendor-released patch: 1.0.7.6 - upgrade the FluxInk/Sunia Color Management Driver to version 1.0.7.6, which the advisory states is available in the Windows 11 25H2 HLK (Hardware Lab Kit) and may be delivered via Windows Update or directly from Lenovo. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Scan environment for Lenovo systems with TcnPeripheral64.sys version 1.0.7.2 and document affected asset inventory. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42094
GHSA-g73c-jxmq-7fh5