Skip to main content

ASUS System Control Interface EUVDEUVD-2026-44587

| CVE-2026-13585 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-07-15 ASUS GHSA-jf28-f99p-265w
8.2
CVSS 4.0 · Vendor: ASUS
Share

Severity by source

Vendor (ASUS) PRIMARY
8.2 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:H/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.0 MEDIUM

Local access with pre-existing administrator rights drives AV:L and PR:H; low complexity, and the flaw both discloses sensitive data (C:H) and enables host DoS (A:H) with no integrity impact.

3.1 AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (ASUS).

CVSS VectorVendor: ASUS

CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:H/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 15, 2026 - 02:31 vuln.today
CVE Published
Jul 15, 2026 - 02:01 cve.org
HIGH 8.2

DescriptionCVE.org

Allocation of Resources Without Limits and Throttling and Sensitive Information in Resource Not Removed Before Reuse in the ASUS System Control Interface driver and ASUS Business Manager allow a local administrator to disclose sensitive information via crafted IOCTL requests, which, in severe cases, may lead to a Denial of Service (DoS) on the system. Refer to the ' Security Update for ASUS System Control Interface  ' section on the ASUS Security Advisory for more information.

AnalysisAI

Local information disclosure and denial of service in the ASUS System Control Interface driver (v3 and earlier) and ASUS Business Manager lets a user already holding local administrator rights issue crafted IOCTL requests to read leftover sensitive data from kernel/driver buffers and, in severe cases, exhaust unthrottled resources to crash the host. The flaw stems from missing resource limits (CWE-770) combined with reuse of memory that still contains prior sensitive contents. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain local administrator access
Delivery
Locate SCI driver device object
Exploit
Send crafted IOCTL request
Execution
Read stale sensitive buffer contents
Persist
Flood unthrottled requests to exhaust resources
Impact
Denial of service on host

Vulnerability AssessmentAI

Exploitation Exploitation requires local administrator privileges on the target ASUS system (CVSS PR:H) and local access (AV:L) - it cannot be performed remotely or by a standard/unprivileged user. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 4.0 base score is 8.2 (High) with vector AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:H/SI:N/SA:H, meaning local access, low complexity, but high privileges (administrator) already required - a significant limiting factor. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has already obtained local administrator privileges on an ASUS business notebook - for example after an earlier phishing-plus-privilege-escalation foothold - sends crafted IOCTL requests to the System Control Interface driver to read back stale buffer contents containing sensitive data, then repeats malformed requests to exhaust driver resources and crash the machine. No public POC is known, and low attack complexity means a knowledgeable admin-level attacker could develop one against the driver's IOCTL interface.
Remediation Patch available per vendor advisory: update the ASUS System Control Interface / System Control Interface v3 driver and ASUS Business Manager to the fixed builds described in the 'Security Update for ASUS System Control Interface' section of the ASUS Security Advisory at https://www.asus.com/security-advisory/ (exact fixed version not provided in this dataset - obtain it from that advisory). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify and inventory all systems running ASUS System Control Interface driver v3 and earlier, plus any ASUS Business Manager installations, documenting affected versions and the count of users with local administrator rights. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-44587 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy