CVE-2026-15515
Received Received - Intake

Uncontrolled Search Path in Tencent PC Manager

Vulnerability report for CVE-2026-15515, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-13

Last updated on: 2026-07-13

Assigner: VulDB

Description

A security vulnerability has been detected in Tencent PC Manager 18.1.30242.301. This issue affects some unknown processing in the library qmudisk64.sys of the component QMUDisk Driver. The manipulation leads to uncontrolled search path. The attack must be carried out locally. The attack is considered to have high complexity. The exploitability is assessed as difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-13
Last Modified
2026-07-13
Generated
2026-07-13
AI Q&A
2026-07-13
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
tencent pc_manager 18.1.30242.301
tencent pc_manager From 18.1.30242.301 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-427 The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.
CWE-426 The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-15515 is a critical privilege escalation vulnerability found in the kernel driver qmudisk64.sys of Tencent PC Manager. The driver exposes multiple dangerous IOCTL interfaces that allow processes with a valid RSA signature embedded in Tencent executables to perform highly sensitive actions such as terminating arbitrary processes, unloading kernel drivers, removing kernel security callbacks, and bypassing Windows security boundaries.

However, the RSA signature validation can be easily bypassed through DLL hijacking of legitimate Tencent executables, enabling any unprivileged user to gain full control over the system's security infrastructure. Exploitation involves tricking Tencent executables like QQPCRTP.exe or QQPCTray.exe into loading malicious DLLs that trigger these vulnerable IOCTL calls.

Compliance Impact

This vulnerability allows local attackers to escalate privileges and gain complete control over the system security infrastructure by exploiting a kernel driver in Tencent PC Manager. Such a compromise can lead to unauthorized access, modification, or destruction of sensitive data.

Given the potential for full system compromise, organizations using affected versions of Tencent PC Manager may face increased risks of data breaches or unauthorized data processing, which could impact compliance with data protection regulations such as GDPR and HIPAA that require safeguarding personal and sensitive information.

Failure to mitigate or remediate this vulnerability could result in violations of these standards due to inadequate protection of data confidentiality, integrity, and availability.

Impact Analysis

This vulnerability can lead to a complete system compromise. An attacker exploiting it can terminate protected processes, unload security drivers, and disable kernel security callbacks, effectively bypassing Windows security mechanisms.

As a result, an unprivileged local user could escalate their privileges and gain full control over the system, potentially leading to unauthorized access, data theft, or further malicious activities.

Detection Guidance

This vulnerability involves dangerous IOCTL interfaces exposed by the qmudisk64.sys kernel driver used by Tencent PC Manager. Detection involves monitoring for exploitation attempts such as DLL hijacking of Tencent executables (e.g., QQPCRTP.exe or QQPCTray.exe) that load malicious DLLs to trigger vulnerable IOCTL calls.

You can monitor for suspicious activity related to these executables and the use of IOCTL 0x002224C8 on the device symlinks associated with the driver.

  • Check for loaded kernel drivers and processes related to Tencent PC Manager using commands like: - `sc queryex` - `tasklist /svc`
  • Use Sysinternals tools such as Process Monitor or Process Explorer to watch for DLL hijacking attempts on QQPCRTP.exe or QQPCTray.exe.
  • Monitor for IOCTL calls to qmudisk64.sys, especially IOCTL 0x002224C8, using kernel debugging tools or specialized monitoring software.

Since the attack requires local access and involves kernel driver manipulation, network detection may be limited; focus on endpoint monitoring and integrity checks of Tencent executables and drivers.

Mitigation Strategies

Immediate mitigation steps include removing or disabling the vulnerable Tencent PC Manager kernel driver component (qmudisk64.sys) if it is not required.

Users are advised to uninstall Tencent PC Manager if it is not essential to their environment.

If uninstallation is not possible immediately, disable the driver's auto-start to prevent it from loading automatically.

Implement application whitelisting to prevent unauthorized or malicious DLLs from being loaded by Tencent executables such as QQPCRTP.exe or QQPCTray.exe.

Monitor systems for signs of exploitation attempts, including unexpected termination of protected processes, unloading of security drivers, or disabling of kernel security callbacks.

Long-term fixes include vendor patches to remove dangerous IOCTLs, strengthen RSA signature validation, and revoke vulnerable driver signatures, but these depend on vendor action.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15515. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart