CVE-2026-23761
Unknown Unknown - Not Provided
Kernel NULL Pointer Dereference in VB-Audio Virtual Audio Drivers Causes BSoD

Publication date: 2026-01-22

Last updated on: 2026-01-22

Assigner: VulnCheck

Description
VB-Audio Voicemeeter, Voicemeeter Banana, and Voicemeeter Potato (versions ending in 1.1.1.9, 2.1.1.9, and 3.1.1.9 and earlier, respectively), as well as VB-Audio Matrix and Matrix Coconut (versions ending in 1.0.2.2 and 2.0.2.2 and earlier, respectively), contain a vulnerability in their virtual audio drivers (vbvoicemeetervaio64*.sys, vbmatrixvaio64*.sys, vbaudio_vmauxvaio*.sys, vbaudio_vmvaio*.sys, and vbaudio_vmvaio3*.sys). When a handle is opened with a special file attribute value, the drivers improperly initialize FILE_OBJECT->FsContext to a non-pointer magic value. If subsequent operations are not handled by the VB-Audio driver and are forwarded down the audio driver stack (e.g., via PortCls to ks.sys), the invalid FsContext value can be dereferenced, causing a kernel crash (BSoD), typically SYSTEM_SERVICE_EXCEPTION with STATUS_ACCESS_VIOLATION. This flaw allows a local unprivileged user to trigger a denial-of-service on affected Windows systems.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-22
Last Modified
2026-01-22
Generated
2026-06-16
AI Q&A
2026-01-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23761
EUVD
EUVD-2026-3828
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
vb-audio voicemeeter to 1.1.1.9 (inc)
vb-audio voicemeeter_banana to 2.1.1.9 (inc)
vb-audio voicemeeter_potato to 3.1.1.9 (inc)
vb-audio matrix to 1.0.2.2 (inc)
vb-audio matrix_coconut to 2.0.2.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-824 The product accesses or uses a pointer that has not been initialized.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-23761 is a vulnerability in VB-Audio's virtual audio drivers used in Voicemeeter and Matrix products. The issue occurs because the drivers improperly initialize the FILE_OBJECT->FsContext field to a non-pointer magic value when a handle is opened with a special file attribute. If operations on this handle are forwarded down the audio driver stack instead of being handled by the VB-Audio driver, the invalid FsContext value is dereferenced, causing a kernel crash (Blue Screen of Death) with a SYSTEM_SERVICE_EXCEPTION and STATUS_ACCESS_VIOLATION error. This allows a local unprivileged user to trigger a denial-of-service on affected Windows systems. [1]

Impact Analysis

This vulnerability can impact you by allowing a local unprivileged user to cause a denial-of-service (DoS) condition on affected Windows systems. Specifically, it can trigger a kernel crash resulting in a Blue Screen of Death (BSoD), which disrupts normal system operation and may require a reboot, potentially causing loss of unsaved data and system downtime. [1]

Detection Guidance

This vulnerability can be detected by identifying if the affected VB-Audio virtual audio drivers (vbvoicemeetervaio64*.sys, vbmatrixvaio64*.sys, vbaudio_vmauxvaio*.sys, vbaudio_vmvaio*.sys, vbaudio_vmvaio3*.sys) are present and in use on the system. Detection involves checking the installed versions of Voicemeeter and Matrix software to see if they are at or below the vulnerable versions (Voicemeeter ≀ 1.1.1.9, Voicemeeter Banana ≀ 2.1.1.9, Voicemeeter Potato ≀ 3.1.1.9, Matrix ≀ 1.0.2.2, Matrix Coconut ≀ 2.0.2.2). On Windows systems, commands such as 'driverquery' or 'Get-WmiObject Win32_SystemDriver' in PowerShell can list loaded drivers to check for these specific driver files. Additionally, monitoring for SYSTEM_SERVICE_EXCEPTION with STATUS_ACCESS_VIOLATION Blue Screen of Death (BSoD) errors in system logs may indicate exploitation attempts. [1]

Mitigation Strategies

Immediate mitigation steps include updating the affected VB-Audio software (Voicemeeter, Voicemeeter Banana, Voicemeeter Potato, Matrix, and Matrix Coconut) to versions later than those listed as vulnerable. If updates are not available, restricting local unprivileged user access to the affected systems or disabling the vulnerable virtual audio drivers temporarily can reduce risk. Monitoring system stability and logs for signs of kernel crashes related to this vulnerability is also recommended. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23761. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart