Skip to main content

Revo Uninstaller EUVD-2026-36672

| CVE-2026-12193 HIGH
Heap-based Buffer Overflow (CWE-122)
2026-06-14 VulDB GHSA-7w6g-hc67-vvxm
Heap Overflow Buffer Overflow Revouninstaller
7.1
CVSS 4.0 · Vendor: VulDB
Share

Severity by source

Vendor (VulDB) PRIMARY
7.1 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.8 HIGH

Local IOCTL call requires an authenticated low-privileged user (AV:L, PR:L); no user interaction; successful pool overflow yields kernel-mode code execution with full CIA impact.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
Jun 15, 2026 - 00:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 15, 2026 - 00:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 15, 2026 - 00:22 vuln.today
cvss_changed
CVSS changed
Jun 15, 2026 - 00:22 NVD
8.5 (HIGH) 7.1 (HIGH)
Analysis Generated
Jun 14, 2026 - 23:58 vuln.today

DescriptionCVE.org

A vulnerability was identified in VS Revo RevoUninstaller 2.5.x/2.6.x. The affected element is the function IOCtl_Handler in the library RevoDetector.sys of the component IOCTL Handler. Such manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit is publicly available and might be used. Upgrading to version 2.7.0 is sufficient to fix this issue. It is recommended to upgrade the affected component.

AnalysisAI

Local privilege escalation in VS Revo RevoUninstaller versions 2.5.x and 2.6.x is possible through a heap-based buffer overflow in the IOCtl_Handler function within the RevoDetector.sys kernel driver. Authenticated local users sending crafted IOCTL requests can corrupt kernel pool memory, potentially achieving SYSTEM-level code execution. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local user access on host with RevoUninstaller 2.5.x/2.6.x
Delivery
Open handle to RevoDetector device
Exploit
Send crafted IOCTL to IOCtl_Handler
Execution
Overflow non-paged kernel pool
Persist
Corrupt adjacent kernel object for control flow
Impact
Execute payload as SYSTEM
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) local code execution on the target Windows host as any authenticated user - interactive or via an existing foothold - and (2) the vulnerable RevoDetector.sys driver from RevoUninstaller 2.5.x or 2.6.x being installed and loaded, which is the default state once the affected versions are installed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:L/UI:N) with high confidentiality, integrity and availability impact accurately reflects a local, low-privilege attacker achieving kernel compromise - a 7.1 score that is appropriate for an LPE-class issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A standard, non-administrative local user (or malware running under such an account) opens a handle to the RevoDetector device, then issues a crafted DeviceIoControl call whose input buffer triggers the heap overflow in IOCtl_Handler. Using the published PoC from github.com/Kalagious/RevoDetectorExploit and the technique documented in Jordan Higgins's blog, the attacker grooms the non-paged pool and corrupts an adjacent kernel object to escalate to SYSTEM, providing a reliable local-to-kernel privilege escalation primitive on any host where the vulnerable Revo driver is loaded.
Remediation Vendor-released patch: version 2.7.0 - upgrade RevoUninstaller to 2.7.0 or later by downloading from https://www.revouninstaller.com/start-freeware-download/, which replaces the vulnerable RevoDetector.sys with a fixed build. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify and inventory all systems running RevoUninstaller versions 2.5.x or 2.6.x; restrict local system access permissions where operationally feasible. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-36672 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy