CVE-2026-57851
Received Received - Intake

Local Privilege Escalation in MSI Feature Manager via KernCoreLib64.sys

Vulnerability report for CVE-2026-57851, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: VulnCheck

Description

MSI Feature Manager contains a local privilege escalation vulnerability in the KernCoreLib64.sys kernel driver that allows any locally logged-on user to perform arbitrary physical memory read/write and unrestricted I/O port operations by accessing exposed IOCTL handlers without administrator privileges. Attackers can exploit the accessible device object through IOCTL handlers to manipulate kernel objects, tamper with kernel-mode callbacks, bypass Protected Process Light protections, and disable security software.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
msi feature_manager to 2026-57851 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-782 The product implements an IOCTL with functionality that should be restricted, but it does not properly enforce access control for the IOCTL.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

Detection of this vulnerability involves identifying the presence of the vulnerable MSI KernCoreLib64.sys kernel driver and monitoring for unauthorized access to its exposed IOCTL handlers.

Since the vulnerability allows arbitrary physical memory read/write and unrestricted I/O port operations via IOCTL handlers, you can check for the existence of the KernCoreLib64.sys driver on the system.

Suggested commands to detect the vulnerable driver and suspicious activity include:

  • On Windows, use PowerShell or Command Prompt to list loaded drivers: `driverquery /v | findstr KernCoreLib64.sys`
  • Use Sysinternals tools like Process Explorer or Process Monitor to monitor IOCTL calls to the KernCoreLib64.sys driver.
  • Check for unusual IOCTL requests or access patterns targeting the device object exposed by the driver.

The GitHub repository for CVE-2026-57851 contains a proof-of-concept that may help in creating detection scripts or tools to identify exploitation attempts.

Executive Summary

CVE-2026-57851 is a local privilege escalation vulnerability in the MSI Feature Manager's KernCoreLib64.sys kernel driver. It allows any user who is logged in locally to exploit exposed IOCTL handlers without needing administrator privileges. By doing so, the attacker can perform arbitrary physical memory read and write operations as well as unrestricted I/O port access.

This exploitation enables attackers to manipulate kernel objects, tamper with kernel-mode callbacks, bypass Protected Process Light protections, and disable security software, effectively gaining elevated control over the system.

Impact Analysis

This vulnerability can have severe impacts as it allows attackers to escalate their privileges from a local user to a higher privileged level without authorization.

  • Attackers can read and write arbitrary physical memory, potentially exposing sensitive data.
  • They can perform unrestricted I/O port operations, which may disrupt hardware or system functions.
  • Manipulation of kernel objects and tampering with kernel-mode callbacks can lead to system instability or further exploitation.
  • Bypassing Protected Process Light protections and disabling security software increases the risk of persistent and stealthy attacks.
Mitigation Strategies

Immediate mitigation steps include preventing unprivileged users from accessing the vulnerable KernCoreLib64.sys driver and its IOCTL handlers.

Since the vulnerability allows local privilege escalation via exposed IOCTL handlers, restricting access to the device object or unloading the vulnerable driver can reduce risk.

Additional steps include:

  • Apply any available patches or updates from MSI or the software vendor addressing this vulnerability.
  • If patches are not available, consider disabling or removing the MSI Feature Manager software or the KernCoreLib64.sys driver until a fix is released.
  • Implement strict access controls to prevent non-administrator users from interacting with the vulnerable driver.
  • Monitor system logs and use security software to detect suspicious kernel-mode activity related to this driver.
Compliance Impact

CVE-2026-57851 is a local privilege escalation vulnerability that allows attackers to manipulate kernel objects, bypass security protections, and disable security software. Such capabilities can lead to unauthorized access and modification of sensitive data.

This type of vulnerability can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data confidentiality, integrity, and security. Exploitation could result in unauthorized data access or tampering, potentially leading to data breaches and non-compliance with these regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57851. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart