Severity by source
CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local-only driver IOCTL reachable only from an administrator (AV:L, PR:H); crafted inputs must defeat validation (AC:H); arbitrary kernel R/W and BSOD yield full C/I/A impact.
Primary rating from Vendor (ASUS).
CVSS VectorVendor: ASUS
CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A permissive list of allowed inputs in ASUS Armoury Crate allows a local administrator to perform arbitrary memory read/write operations or cause a system crash (BSOD) by bypassing the validation mechanism.Refer to the ' Security Update for Armoury Crate App ' section on the ASUS Security Advisory for more information.
AnalysisAI
Local privilege abuse in ASUS Armoury Crate (versions up to and including 6.4.12) allows a local administrator to bypass input validation and perform arbitrary kernel memory read/write or trigger a system crash (BSOD). The flaw is reported by ASUS and tracked as EUVD-2026-38205; no public exploit identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires local code execution as an administrator on a Windows endpoint with ASUS Armoury Crate 6.4.12 or earlier installed and its kernel driver loaded - the attacker must be able to open a handle to the Armoury Crate driver and issue IOCTLs through it, which Windows restricts to administrative contexts. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is moderate and tightly bounded by the prerequisites. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has already obtained local administrator privileges on an ASUS endpoint (for example, via phishing followed by a UAC bypass) loads the legitimate Armoury Crate driver and sends crafted IOCTLs that pass the driver's permissive validation, granting arbitrary kernel read/write. They then use that primitive to patch out EDR callbacks or zero token privileges to escalate from admin to SYSTEM/kernel and establish stealthy persistence. … |
| Remediation | Patch available per vendor advisory: update Armoury Crate to the fixed release published under the 'Security Update for Armoury Crate App' section at https://www.asus.com/security-advisory (exact fix version not enumerated in the supplied data - confirm against the ASUS advisory before deployment). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: inventory all systems running ASUS Armoury Crate version 6.4.12 or earlier and audit administrative user account access patterns. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Armoury Crate
View allASUS SetupAsusServices v1.0.5.1 in Asus Armoury Crate v5.3.4.0 contains an unquoted service path vulnerability which all
Local privilege escalation in ASUS Armoury Crate allows an authenticated low-privileged user to bypass driver validation
Same weakness CWE-183 – Permissive List of Allowed Inputs
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38205
GHSA-jjw4-7368-pw26