CVE-2026-15476
Received Received - Intake

Improper Access Control in QILING Disk Master Kernel Driver

Vulnerability report for CVE-2026-15476, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-12

Last updated on: 2026-07-12

Assigner: VulDB

Description

A security vulnerability has been detected in QILING Disk Master 6.0.0.0. The impacted element is an unknown function in the library diskbckp.sys of the component Kernel Driver. Such manipulation leads to improper access controls. The attack can only be performed from a local environment. The exploit has been disclosed publicly and may be used. It is suggested to upgrade the affected component.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-12
Last Modified
2026-07-12
Generated
2026-07-12
AI Q&A
2026-07-12
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
qiling disk_master 6.0.0.0
qiling disk_master_free 8.7.6
borland delphi *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-15476 is a security vulnerability in QILING Disk Master 6.0.0.0, specifically in the kernel driver component diskbckp.sys. The vulnerability arises because the driver exposes a device interface that allows local, non-administrative users to perform arbitrary raw disk writes without proper access control checks.

This means that an unprivileged user can write data directly to protected areas of the disk, such as system files or registry hives, bypassing Windows file system security mechanisms. The vulnerability is due to improper enforcement of security checks in the driver, allowing local privilege escalation.

Impact Analysis

This vulnerability can allow a local attacker with standard user privileges to escalate their privileges to administrative level by writing arbitrary data to protected disk locations.

Such unauthorized disk writes can compromise system integrity by overwriting critical system files or registry settings, potentially leading to system instability, unauthorized access, or persistent malware installation.

Detection Guidance

This vulnerability involves the kernel driver diskbckp.sys version 6.0.0.0 exposing a device interface \\.\diskbakdrv1 that allows local users to perform arbitrary raw disk writes. Detection can focus on identifying the presence of this vulnerable driver and monitoring attempts to access the device interface or issue the specific IOCTL (0x810C2806) calls.

  • Check if the vulnerable driver diskbckp.sys version 6.0.0.0 is loaded on the system using: sc query diskbckp
  • List loaded drivers and filter for diskbckp.sys: driverquery | findstr diskbckp.sys
  • Monitor for attempts to open the device interface \\.\diskbakdrv1 or issue IOCTL 0x810C2806 using Sysinternals Process Monitor or Windows Event Logs.
  • Use PowerShell to check for the device interface: Get-Item -Path \\.\diskbakdrv1
Mitigation Strategies

Immediate mitigation steps include upgrading the affected component to a version where the vulnerability is fixed, as suggested by the vendor.

Additionally, restrict access to the vulnerable device interface by implementing secure device creation with restrictive security descriptors, ensuring only administrative users can access sensitive IOCTLs.

Avoid exposing raw disk access to untrusted or non-administrative users to prevent privilege escalation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15476. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart