CVE-2026-12217
Deferred Deferred - Pending Action

Improper Privilege Management in DVDFab Virtual Drive

Vulnerability report for CVE-2026-12217, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: VulDB

Description

A security vulnerability has been detected in DVDFab Virtual Drive 2.0.0.5. Impacted is an unknown function in the library dvdfabio.sys of the component Signed Kernel Driver. The manipulation leads to improper privilege management. An attack has to be approached locally. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-07-05
AI Q&A
2026-06-15
EPSS Evaluated
2026-07-04
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
dvdfab virtual_drive 2.0.0.5
dvdfab dvdfabio 1.5.1.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows a low-privileged local user to escalate privileges by bypassing normal access controls on sensitive Windows registry keys, including those that store critical security information such as the SAM hive.

Such unauthorized access and potential tampering or disclosure of sensitive system data can lead to violations of security requirements mandated by common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and strict access controls.

Therefore, exploitation of this vulnerability could compromise the confidentiality, integrity, and availability of sensitive information, negatively impacting compliance with these regulations.

Executive Summary

This vulnerability exists in the DVDFab Virtual Drive version 2.0.0.5, specifically in a signed kernel driver called dvdfabio.sys. The driver exposes an interface that allows local users to perform registry operations from kernel mode without proper access checks.

Normally, standard users cannot write to protected registry keys or access sensitive registry hives like HKLM\SAM\SAM. However, this driver provides IOCTLs that let a low-privileged user obtain kernel-opened handles to these protected keys, bypassing Windows' normal security.

As a result, a standard user can write to protected registry values or read sensitive registry data, which should normally be restricted. This improper privilege management can lead to privilege escalation and other malicious activities.

Impact Analysis

This vulnerability can allow a local attacker with standard user privileges to escalate their privileges by writing to protected registry keys or reading sensitive registry data.

  • Privilege escalation enabling the attacker to gain higher system privileges.
  • Persistence by tampering with system configuration through registry modifications.
  • Disclosure of sensitive information stored in protected registry hives.
  • Potential disruption or manipulation of system behavior due to unauthorized registry changes.
Detection Guidance

This vulnerability can be detected by checking for the presence of the vulnerable DVDFab Virtual Drive version 2.0.0.5 and its signed kernel driver dvdfabio.sys (version 1.5.1.0) on the system.

Specifically, detection involves verifying if the device named \\.\DVDFabIO exists and if it exposes IOCTL interfaces that allow registry operations without proper access control.

Commands to help detect this include querying loaded drivers and checking for the device presence:

  • Use PowerShell or Command Prompt to list loaded drivers and check for dvdfabio.sys: `driverquery /v | findstr dvdfabio.sys`
  • Check for the device presence using: `handle.exe -a | findstr DVDFabIO` (Sysinternals Handle utility)
  • Attempt to open the device with a tool or script to see if the vulnerable IOCTLs are accessible (requires custom scripts or tools).
Mitigation Strategies

Immediate mitigation steps include removing or disabling the vulnerable DVDFab Virtual Drive 2.0.0.5 and its driver dvdfabio.sys from the system to prevent exploitation.

If removal is not immediately possible, restrict access to the device \\.\DVDFabIO to trusted users only, preventing unprivileged users from interacting with the driver.

Long-term remediation involves the vendor removing the registry open/create IOCTLs from the driver's public interface, avoiding returning kernel-opened handles to untrusted callers, and enforcing proper access checks.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12217. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart