Skip to main content

PC Tools Internet Security EUVDEUVD-2026-33669

| CVE-2026-8501 HIGH
Exposed IOCTL with Insufficient Access Control (CWE-782)
2026-06-01 certcc GHSA-x42p-q354-px3c
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 01, 2026 - 19:28 vuln.today
CVSS changed
Jun 01, 2026 - 19:22 NVD
7.8 (HIGH)
CVE Published
Jun 01, 2026 - 16:25 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 01, 2026 - 16:25 nvd
HIGH 7.8

DescriptionCVE.org

Improper access control in the PCTCore64.sys Windows kernel driver from PC Tools Internet Security allows user-mode processes to access the PCTCoreDriver WDM device interface and invoke privileged IOCTL handlers. A local attacker with the ability to access or load the affected driver can exploit this vulnerability to perform sensitive and privileged operations on the target system.

AnalysisAI

Local privilege escalation in PC Tools Internet Security (Symantec) is possible because the PCTCore64.sys kernel driver exposes its PCTCoreDriver WDM device interface to user-mode processes without adequate access controls, allowing low-privileged users to invoke privileged IOCTL handlers. CERT/CC tracked this as VU#158530 and the affected driver is a candidate for Microsoft's recommended driver block list; no public exploit identified at time of analysis, though the vulnerability class (BYOVD-style abuse) is well understood by attackers.

Technical ContextAI

PCTCore64.sys is a Windows Driver Model (WDM) kernel driver shipped with Symantec/PC Tools Internet Security that creates a named device object (PCTCoreDriver) accessible via DeviceIoControl from user mode. The root cause maps to CWE-782 (Exposed IOCTL with Insufficient Access Control): the driver's device object or dispatch routines fail to enforce a sufficiently restrictive security descriptor (SDDL) or to validate caller privilege before dispatching IOCTLs that perform sensitive kernel operations. Because the driver is signed, it remains loadable on modern Windows unless explicitly blocklisted via WDAC, which is why Microsoft maintains the recommended driver block rules referenced in the advisory. The affected CPE is cpe:2.3:a:symantec:pc_tools_internet_security with all versions in scope per the EUVD record.

RemediationAI

No vendor-released patch identified at time of analysis - PC Tools Internet Security is an end-of-life Symantec product, so users should uninstall it entirely and migrate to a supported endpoint security solution as the primary remediation. Where uninstall is not immediately feasible, add PCTCore64.sys to the Microsoft Recommended Driver Block Rules enforced via Windows Defender Application Control (WDAC) or the Vulnerable Driver Blocklist toggle in Windows Security, per https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules; note this will break any product still depending on the driver. As a narrower compensating control, administrators can modify the device object's security descriptor (SDDL reference: https://learn.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-definition-language) to restrict \\.\PCTCoreDriver access to SYSTEM/Administrators only, accepting the risk that the product's own services may malfunction. See the CERT/CC advisory at https://kb.cert.org/vuls/id/158530 for coordinated guidance.

Share

EUVD-2026-33669 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy