Skip to main content

ASUS System Control Interface EUVDEUVD-2026-28486

| CVE-2026-3508 MEDIUM
Out-of-bounds Read (CWE-125)
2026-05-08 ASUS GHSA-m3gg-rqf2-7qcj
6.8
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.8 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
May 08, 2026 - 03:30 vuln.today
CVSS changed
May 08, 2026 - 03:22 NVD
6.8 (MEDIUM)
CVE Published
May 08, 2026 - 02:00 nvd
MEDIUM 6.8

DescriptionCVE.org

An Out-of-bounds Read vulnerability in the IOCTL handler in ASUS System Control Interface allows a local user to cause system crash (BSOD) via a read size that exceeds the buffer size.Refer to the ' Security Update for MyASUS ' section on the ASUS Security Advisory for more information.

AnalysisAI

Out-of-bounds read in ASUS System Control Interface IOCTL handler allows local authenticated users to trigger denial of service via oversized read operations. A local user with limited privileges can supply a read size exceeding the allocated buffer, causing a system crash (BSOD). No public exploit code or active exploitation has been confirmed at this time.

Technical ContextAI

ASUS System Control Interface exposes IOCTL (Input/Output Control) handlers that accept user-mode requests to interact with kernel-mode driver functionality. The vulnerability stems from CWE-125 (Out-of-bounds Read), where the IOCTL handler fails to validate that the requested read size does not exceed the destination buffer's allocated size before performing the read operation. This classic bounds-checking failure in kernel-mode code leads to memory access violations that trigger a kernel exception, resulting in system crash. The affected component is a system-level driver or service that handles privileged operations on ASUS systems.

RemediationAI

Apply the security update for MyASUS as detailed in the ASUS Security Advisory (https://www.asus.com/security-advisory) - this advisory references a patch for the System Control Interface IOCTL handler that implements proper buffer size validation. Exact patched version numbers are not provided in available data; verify with ASUS support or the advisory page for the specific build version to upgrade to. As an interim compensating control, restrict IOCTL access to the affected driver by disabling non-essential ASUS system services or limiting local user account privileges where feasible, though this may impact ASUS system management features. Systems used in multi-user or guest-access scenarios should be prioritized for patching due to elevated local threat surface.

Share

EUVD-2026-28486 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy