Share
## https://sploitus.com/exploit?id=4E077B4A-3212-5314-84AC-2936B29537EF
# Privilege Escalation Vulnerabilities in Pegatron TdeIo64 Driver (tdeio64.sys)

| | |
|---|---|
| **CVE IDs** | CVE-2026-14960, CVE-2026-14961 |
| **Vendor** | Pegatron Corporation |
| **Product** | TdeIo Driver (`tdeio64.sys`) |
| **Device Interface** | `\\.\TdeIo` |
| **Vulnerability Types** | Improper Access Control (CWE-284), Arbitrary Kernel Memory Read/Write (CWE-787/CWE-125), Unprotected I/O Port Access |
| **Impact** | Privilege Escalation to SYSTEM, Hardware-Level Compromise |
| **Attack Vector** | Local |
| **Privileges Required** | Low (any local user) |
| **Tested On** | Windows 10/11 x64 |
| **Researcher** | Lucian Alexandru Necula |

## Summary

The Pegatron `tdeio64.sys` driver is a Windows Driver Model (WDM) component that exposes low-level I/O port and hardware access through the `\\.\TdeIo` device interface. The driver's IOCTL dispatch routine does not validate the origin or privilege level of incoming requests, nor does it adequately validate user-supplied memory addresses before using them in read/write operations.

Two issues were identified and are tracked together in this advisory:

- **CVE-2026-14961** โ€” Arbitrary kernel memory read/write reachable through unprotected IOCTL handling, allowing privilege escalation to SYSTEM.
- **CVE-2026-14960** โ€” Unrestricted access to IOCTLs that interact directly with hardware I/O ports, allowing manipulation of hardware resources beyond normal OS protections.

## Affected Component

- **Driver:** `tdeio64.sys`
- **Interface:** `\\.\TdeIo` device object, IOCTL dispatch routine
- **Reachability:** Standard (non-administrative) local users

## Technical Details

### CVE-2026-14961 โ€” Arbitrary Kernel Memory Read/Write

The driver's IOCTL dispatcher processes `DeviceIoControl` requests without verifying that the caller holds sufficient privileges or restricting which processes may open a handle to the device. Because request parameters supplied by user mode are used directly as source/destination addresses for memory operations, a local attacker can craft a request that causes the driver to read from or write to arbitrary kernel memory. This primitive can be used to overwrite the security token of the calling process with that of a SYSTEM process, resulting in full privilege escalation.

### CVE-2026-14960 โ€” Unrestricted Hardware I/O Port Access

In addition to the memory read/write primitives, the driver exposes IOCTLs that perform direct hardware I/O port operations on behalf of the caller. Because these IOCTLs are reachable by any local, unprivileged process, an attacker can use them to interact with hardware resources in ways not normally permitted by the operating system's protection model, extending the impact of exploitation beyond software-level compromise.

> **Note:** No proof-of-concept exploit code is published in this advisory. The technical description above is intentionally limited to what is necessary to understand and remediate the issues.

## Impact

- **CVE-2026-14961** allows a local, unprivileged attacker to obtain `NT AUTHORITY\SYSTEM` privileges via arbitrary kernel memory read/write, enabling full compromise of the operating system โ€” including bypassing or disabling endpoint security controls, extracting credentials from protected processes such as `lsass.exe`, installing persistent rootkits, and manipulating kernel data structures.
- **CVE-2026-14960** allows direct manipulation of hardware I/O ports from an unprivileged context, extending the impact of exploitation beyond the OS security boundary.

Because `tdeio64.sys` is distributed as an OEM component bundled with Pegatron-manufactured motherboards and hardware, the affected driver may be present โ€” and loadable โ€” on a wide range of consumer and enterprise systems.

## Recommendations

**For defenders / system owners:**
- Treat `tdeio64.sys` as vulnerable; no vendor-supported fix is available at the time of publication.
- Disable or remove the driver where it is not required.
- Prevent untrusted users from loading or interacting with the driver.
- Where supported, use Windows Defender Application Control (WDAC) or Hypervisor-Protected Code Integrity (HVCI) to block known vulnerable drivers from loading.

**For the vendor:**
- Restrict access to the `\\.\TdeIo` device object to trusted, appropriately privileged callers.
- Validate all user-supplied pointers/addresses before performing reads or writes on their behalf.
- Restrict or remove IOCTLs that permit direct hardware I/O port access from unprivileged callers.

## Disclosure Timeline

| Date | Event |
|---|---|
| 2026-04-27 | Vendor (Pegatron Corp.) notified via CERT/CC coordination |
| โ€” | No statement received from the vendor |
| 2026-07-15 | CERT/CC Vulnerability Note VU#529388 published |
| 2026-07-15 | Public advisory published (this document) |

## References

- CERT/CC: [VU#529388](https://kb.cert.org/vuls/id/529388)
- CVE: [CVE-2026-14960](https://vulners.com/cve/CVE-2026-14960)
- CVE: [CVE-2026-14961](https://vulners.com/cve/CVE-2026-14961)

## Credit

Discovered and reported by **Lucian Alexandru Necula**.