Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Local-only attack vector (AV:L), low privilege required (PR:L) for standard user account; limited C/I/A impact reflects IOCTL abuse without confirmed full kernel compromise.
Primary rating from Vendor (certcc).
CVSS VectorVendor: certcc
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
In SignalRGB versions prior to 1.3.7.0, the \\.\SignalIo device object is created without an explicit SDDL security descriptor and without FILE_DEVICE_SECURE_OPEN. This results in overly permissive default access control, allowing any authenticated local user to obtain a handle to the device and issue privileged IOCTLs.
AnalysisAI
Overly permissive access control on the SignalRGB kernel driver's device object exposes privileged IOCTL operations to any authenticated local user on Windows systems running versions prior to 1.3.7.0. The root cause is that the \\.\SignalIo device object is created without an explicit SDDL security descriptor and without the FILE_DEVICE_SECURE_OPEN flag, causing Windows to apply insecure default access controls. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated local user session on a Windows system with the SignalRGB kernel driver installed at a version prior to 1.3.7.0. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 5.3 (Medium) with vector AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L accurately reflects the realistic risk: exploitation is bounded to authenticated local users, requires no special attack complexity, and produces limited-severity impact across confidentiality, integrity, and availability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a standard local user account on a Windows workstation where SignalRGB is installed opens a handle to `\\.\SignalIo` using standard Win32 API calls, which succeeds due to the missing SDDL restrictions. The attacker then dispatches one or more privileged IOCTL codes against the handle, interacting with kernel-mode driver functionality that was intended to be restricted to elevated callers, potentially reading kernel-controlled data or modifying driver state to support further privilege escalation. |
| Remediation | Upgrade SignalRGB to version 1.3.7.0 or later, which is the vendor-confirmed patched release as reported by CERT/CC (https://kb.cert.org/vuls/id/380058). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Signalrgb Kernel Driver
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37803
GHSA-c9xw-w9jw-mq5m