CVE-2026-0828
Received Received - Intake
Buffer Overflow in Safetica ProcessMonitorDriver.sys

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: CERT/CC

Description
Kernel driver ProcessMonitorDriver.sys in Safetica's endpoint client x64 , versions 10.5.75.0 and 11.11.4.0, allows unprivileged user to abuse IOCTL path and terminate protected system processes.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-0828
EUVD
EUVD-2026-39793
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
safetica endpoint_client 10.5.75.0
safetica endpoint_client 11.11.4.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in Safetica's endpoint client kernel driver ProcessMonitorDriver.sys in versions 10.5.75.0 and 11.11.4.0. It allows an unprivileged local user to exploit an insecure IOCTL (Input/Output Control) path to terminate protected system processes.

This flaw arises from improper input sanitization and user validation, enabling privilege escalation and denial-of-service attacks by terminating arbitrary system processes with elevated privileges.

Impact Analysis

An attacker exploiting this vulnerability can repeatedly terminate critical system processes, which can disrupt Safetica's security monitoring and potentially render systems unavailable.

This can lead to denial-of-service conditions and compromise the security posture of affected systems by disabling protection mechanisms.

  • Disruption of security monitoring
  • Denial-of-service attacks
  • Potential privilege escalation
Detection Guidance

This vulnerability can be detected by monitoring for suspicious IOCTL requests targeting the ProcessMonitorDriver.sys kernel driver in Safetica's endpoint client. Since the flaw involves abuse of an insecure IOCTL path, observing unusual or unauthorized IOCTL calls can indicate exploitation attempts.

Deploying endpoint detection and response (EDR) tools is recommended to help identify and alert on such suspicious activities.

Specific commands are not provided in the available resources, but monitoring tools that track IOCTL calls or process termination events related to ProcessMonitorDriver.sys would be effective.

Mitigation Strategies

Immediate mitigation steps include monitoring for suspicious IOCTL requests and deploying endpoint detection and response tools to detect exploitation attempts.

Enforce policy-based restrictions such as Windows Group Policy or Application Control to block unauthorized access to the vulnerable ProcessMonitorDriver.sys driver.

As of the publication date, no vendor-provided fix is available, so these mitigations are critical to reduce risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0828. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart