CVE-2026-23761
Kernel NULL Pointer Dereference in VB-Audio Virtual Audio Drivers Causes BSoD
Publication date: 2026-01-22
Last updated on: 2026-01-22
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vb-audio | voicemeeter | to 1.1.1.9 (inc) |
| vb-audio | voicemeeter_banana | to 2.1.1.9 (inc) |
| vb-audio | voicemeeter_potato | to 3.1.1.9 (inc) |
| vb-audio | matrix | to 1.0.2.2 (inc) |
| vb-audio | matrix_coconut | to 2.0.2.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-824 | The product accesses or uses a pointer that has not been initialized. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-23761 is a vulnerability in VB-Audio's virtual audio drivers used in Voicemeeter and Matrix products. The issue occurs because the drivers improperly initialize the FILE_OBJECT->FsContext field to a non-pointer magic value when a handle is opened with a special file attribute. If operations on this handle are forwarded down the audio driver stack instead of being handled by the VB-Audio driver, the invalid FsContext value is dereferenced, causing a kernel crash (Blue Screen of Death) with a SYSTEM_SERVICE_EXCEPTION and STATUS_ACCESS_VIOLATION error. This allows a local unprivileged user to trigger a denial-of-service on affected Windows systems. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing a local unprivileged user to cause a denial-of-service (DoS) condition on affected Windows systems. Specifically, it can trigger a kernel crash resulting in a Blue Screen of Death (BSoD), which disrupts normal system operation and may require a reboot, potentially causing loss of unsaved data and system downtime. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying if the affected VB-Audio virtual audio drivers (vbvoicemeetervaio64*.sys, vbmatrixvaio64*.sys, vbaudio_vmauxvaio*.sys, vbaudio_vmvaio*.sys, vbaudio_vmvaio3*.sys) are present and in use on the system. Detection involves checking the installed versions of Voicemeeter and Matrix software to see if they are at or below the vulnerable versions (Voicemeeter β€ 1.1.1.9, Voicemeeter Banana β€ 2.1.1.9, Voicemeeter Potato β€ 3.1.1.9, Matrix β€ 1.0.2.2, Matrix Coconut β€ 2.0.2.2). On Windows systems, commands such as 'driverquery' or 'Get-WmiObject Win32_SystemDriver' in PowerShell can list loaded drivers to check for these specific driver files. Additionally, monitoring for SYSTEM_SERVICE_EXCEPTION with STATUS_ACCESS_VIOLATION Blue Screen of Death (BSoD) errors in system logs may indicate exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the affected VB-Audio software (Voicemeeter, Voicemeeter Banana, Voicemeeter Potato, Matrix, and Matrix Coconut) to versions later than those listed as vulnerable. If updates are not available, restricting local unprivileged user access to the affected systems or disabling the vulnerable virtual audio drivers temporarily can reduce risk. Monitoring system stability and logs for signs of kernel crashes related to this vulnerability is also recommended. [1]