Skip to main content

ASUS System Control Interface EUVDEUVD-2026-44588

| CVE-2026-15030 MEDIUM
Out-of-bounds Read (CWE-125)
2026-07-15 ASUS GHSA-ccmx-85ff-f67h
5.6
CVSS 4.0 · Vendor: ASUS
Share

Severity by source

Vendor (ASUS) PRIMARY
5.6 MEDIUM
CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.1 MEDIUM

Local access and admin privileges required to reach the IOCTL interface; AC:H reflects non-trivial validation bypass; impact is read-only memory disclosure with no integrity or availability effect.

3.1 AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
4.0 AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (ASUS).

CVSS VectorVendor: ASUS

CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 15, 2026 - 02:33 vuln.today

DescriptionCVE.org

Out-of-bounds Read in ASUS System Control Interface v3, ASUS System Control Interface, and ASUS Business Manager allows a local administrator to read memory regions beyond the intended firmware boundary by supplying a crafted IOCTL request that bypasses the validation. Refer to the ' Security Update for ASUS System Control Interface  ' section on the ASUS Security Advisory for more information.

AnalysisAI

Out-of-bounds memory read in ASUS System Control Interface v3, ASUS System Control Interface, and ASUS Business Manager exposes kernel and firmware memory contents to local administrators via a crafted IOCTL request that bypasses the driver's length validation. The vulnerability (CWE-125) is constrained to AV:L/PR:H, meaning exploitation requires prior establishment of local administrator access on a system where the affected ASUS software is installed. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local administrator access on target
Delivery
Identify system running ASUS System Control Interface or Business Manager
Exploit
Craft IOCTL request with manipulated buffer parameters
Execution
Submit request to vulnerable kernel driver
Persist
Driver reads beyond firmware buffer boundary
Impact
Exfiltrate out-of-bounds memory contents

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold a local administrator account on the target system (PR:H per CVSS 4.0 vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N, score 5.6) accurately reflects the narrow exploitation window. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has achieved local administrator access on a Windows endpoint running ASUS System Control Interface constructs a malicious IOCTL payload with out-of-range offset or length parameters and submits it to the vulnerable kernel driver. The driver's insufficient validation fails to reject the crafted input, and it reads memory beyond the intended firmware buffer - disclosing adjacent memory contents to the calling process. …
Remediation Apply the vendor-supplied update documented in the ASUS Security Advisory (https://www.asus.com/security-advisory, 'Security Update for ASUS System Control Interface' section). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-44588 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy