CVE-2026-30769
Privilege Escalation in TVicPort via IOCTL Request
Publication date: 2026-04-29
Last updated on: 2026-05-05
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| entechtaiwan | tvicport | 5.2.1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
The vulnerability can allow an attacker to gain higher privileges on the affected system than they are normally authorized to have. This escalation of privileges could enable the attacker to perform unauthorized actions, potentially compromising system security and integrity.
Can you explain this vulnerability to me?
This vulnerability exists in the TVicPort64.sys component of EnTech Taiwan TVicPort Product version 4.0, specifically in file version 5.2.1.0. It allows attackers to escalate their privileges by sending specially crafted IOCTL 0x80002008 requests to the system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in TVicPort64.sys allows local attackers to escalate privileges by exploiting a NULL DACL, enabling arbitrary physical memory read and write operations. This can lead to unauthorized access and modification of sensitive data on affected systems.
Such unauthorized access and privilege escalation can compromise the confidentiality, integrity, and availability of data, which are core principles in compliance frameworks like GDPR and HIPAA.
Therefore, if exploited, this vulnerability could result in violations of these regulations by exposing protected personal or health information, failing to maintain adequate security controls, and potentially leading to data breaches.
What immediate steps should I take to mitigate this vulnerability?
Since the vulnerable TVicPort64.sys driver is unmaintained and no patched version has been released by the vendor, immediate mitigation steps include:
- Remove or disable the TVicPort64.sys driver from affected systems to prevent exploitation.
- Restrict local user access to systems where the driver is installed, as the vulnerability allows local privilege escalation.
- Monitor systems for suspicious activity involving IOCTL requests, especially those targeting IOCTL 0x80002008.
- Consider using application whitelisting or driver signing enforcement policies to prevent loading untrusted or vulnerable drivers.
Can you explain this vulnerability to me?
CVE-2026-30769 is a vulnerability in the TVicPort64.sys driver component of EnTech Taiwan's TVicPort product. The issue arises because the driver creates a device object with a NULL Discretionary Access Control List (DACL), which means any local user can open a handle to the device and send crafted IOCTL (Input/Output Control) requests, specifically IOCTL 0x80002008.
This flaw allows attackers to perform arbitrary physical memory read and write operations, enabling them to escalate their privileges on the affected system.
How can this vulnerability impact me? :
This vulnerability can have serious impacts because it allows a local attacker to escalate privileges by exploiting the ability to send crafted IOCTL requests to the vulnerable driver.
- An attacker can gain higher system privileges than originally granted.
- It enables arbitrary physical memory read and write, which can be used to bypass security features.
- This can lead to full system compromise, unauthorized access to sensitive data, and potential installation of persistent malware.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the TVicPort64.sys driver creating a device object with a NULL Discretionary Access Control List (DACL), allowing any local user to open a handle and send IOCTL commands. Detection involves checking for the presence of the vulnerable TVicPort64.sys driver on the system.
To detect the vulnerable driver, you can check if TVicPort64.sys is loaded on your system using commands like:
- On Windows, run: `sc query tvicport64` or `driverquery | findstr tvicport64.sys`
- Alternatively, use PowerShell: `Get-WmiObject Win32_SystemDriver | Where-Object { $_.Name -like '*tvicport64*' }`
If the driver is present, further investigation is needed to determine if it is the vulnerable version (File v5.2.1.0). Checking the file version and timestamp of TVicPort64.sys can help confirm this.