Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
IOCTL delivery is inherently local (AV:L), trivially triggered with an empty buffer (AC:L), requires a local handle to the driver typically open to standard users (PR:L), and impact is availability-only kernel crash.
Primary rating from Vendor (certcc).
CVSS VectorVendor: certcc
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
In SignalRGB versions prior to 1.3.7.0, seven of the thirteen IOCTL handlers dereference the SystemBuffer pointer without first verifying that it is non-NULL. Sending an IOCTL with an empty input buffer causes a NULL pointer dereference, resulting in a kernel crash.
AnalysisAI
Local denial-of-service in the SignalRGB kernel driver (versions prior to 1.3.7.0) allows any process able to open a handle to the driver to crash the Windows kernel by sending an IOCTL with an empty input buffer. Seven of thirteen IOCTL handlers dereference the SystemBuffer pointer without a NULL check, producing a bugcheck (BSOD). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires the SignalRGB application (and therefore its kernel driver) to be installed and running on the target Windows host, and the attacker must be able to execute code locally with sufficient rights to call CreateFile/DeviceIoControl against the SignalRGB device object - typically any interactive or service account, since RGB control drivers commonly expose permissive DACLs to non-admin users. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is moderate and bounded to availability: CVSS C:N/I:N/A:H correctly reflects a pure DoS with no information disclosure or code execution, and EPSS (0.14%, 4th percentile) plus absence from CISA KEV indicate no observed exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A low-privileged user on a workstation with SignalRGB installed opens a handle to the SignalRGB driver device with CreateFileW and issues DeviceIoControl using one of the seven vulnerable IOCTL codes with InputBufferLength=0 and lpInBuffer=NULL; the driver dereferences the resulting NULL SystemBuffer in kernel context and the machine immediately bugchecks. Repeated triggering from a startup script or scheduled task produces a persistent boot-loop style DoS on the host. … |
| Remediation | Vendor-released patch: SignalRGB 1.3.7.0 - upgrade all hosts running SignalRGB to 1.3.7.0 or later as documented in CERT/CC VU#380058 (https://kb.cert.org/vuls/id/380058). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory Windows systems with SignalRGB driver installed and identify those running versions prior to 1.3.7.0. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Signalrgb Kernel Driver
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37804
GHSA-wm74-h69m-r7vv