Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Improper access control in the PCTCore64.sys Windows kernel driver from PC Tools Internet Security allows user-mode processes to access the PCTCoreDriver WDM device interface and invoke privileged IOCTL handlers. A local attacker with the ability to access or load the affected driver can exploit this vulnerability to perform sensitive and privileged operations on the target system.
AnalysisAI
Local privilege escalation in PC Tools Internet Security (Symantec) is possible because the PCTCore64.sys kernel driver exposes its PCTCoreDriver WDM device interface to user-mode processes without adequate access controls, allowing low-privileged users to invoke privileged IOCTL handlers. CERT/CC tracked this as VU#158530 and the affected driver is a candidate for Microsoft's recommended driver block list; no public exploit identified at time of analysis, though the vulnerability class (BYOVD-style abuse) is well understood by attackers.
Technical ContextAI
PCTCore64.sys is a Windows Driver Model (WDM) kernel driver shipped with Symantec/PC Tools Internet Security that creates a named device object (PCTCoreDriver) accessible via DeviceIoControl from user mode. The root cause maps to CWE-782 (Exposed IOCTL with Insufficient Access Control): the driver's device object or dispatch routines fail to enforce a sufficiently restrictive security descriptor (SDDL) or to validate caller privilege before dispatching IOCTLs that perform sensitive kernel operations. Because the driver is signed, it remains loadable on modern Windows unless explicitly blocklisted via WDAC, which is why Microsoft maintains the recommended driver block rules referenced in the advisory. The affected CPE is cpe:2.3:a:symantec:pc_tools_internet_security with all versions in scope per the EUVD record.
RemediationAI
No vendor-released patch identified at time of analysis - PC Tools Internet Security is an end-of-life Symantec product, so users should uninstall it entirely and migrate to a supported endpoint security solution as the primary remediation. Where uninstall is not immediately feasible, add PCTCore64.sys to the Microsoft Recommended Driver Block Rules enforced via Windows Defender Application Control (WDAC) or the Vulnerable Driver Blocklist toggle in Windows Security, per https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules; note this will break any product still depending on the driver. As a narrower compensating control, administrators can modify the device object's security descriptor (SDDL reference: https://learn.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-definition-language) to restrict \\.\PCTCoreDriver access to SYSTEM/Administrators only, accepting the risk that the product's own services may malfunction. See the CERT/CC advisory at https://kb.cert.org/vuls/id/158530 for coordinated guidance.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33669
GHSA-x42p-q354-px3c