Exploit for CVE-2026-36425

Name: Exploit for CVE-2026-36425
Rating: 5 (11 reviews)
2026-06-17 | CVSS 5.7
## https://sploitus.com/exploit?id=E0E5A159-B9FC-5F80-8823-08B2D5FD8E7A
# CVE-2026-36425 — OPSWAT AppRemover Driver (ardrv.sys) Improper Access Control

| | |
|---|---|
| **CVE ID** | CVE-2026-36425 |
| **Vendor** | OPSWAT, Inc. |
| **Product** | AppRemover Driver (`ardrv.sys`) |
| **Affected Versions** | v2017.10.02.1551 and earlier |
| **Vulnerability Type** | Improper Access Control (CWE-284) |
| **Impact** | Unauthorized process termination, denial of service, security software tampering, anti-forensics |
| **Attack Vector** | Local |
| **Privileges Required** | Low (any local user) |
| **Tested On** | Windows 10 / Windows 11 (x64) |
| **Researcher** | Jehad Abudagga ([@j3h4ck](https://x.com/j3h4ck)) |

---

## Summary

The OPSWAT AppRemover kernel driver (`ardrv.sys`), version 2017.10.02.1551 and earlier, exposes a device object (`\\.\ardrv`) that is accessible to unprivileged local users. The driver's IOCTL handler `0x2420031` performs process termination on a caller-supplied target without validating the caller's privileges, the protection status of the target process, or whether the target is a critical system process.

As a result, any local user can open the device and request termination of arbitrary processes, including security software, leading to denial of service, defensive tooling tampering, and anti-forensic abuse.

## Affected Component

- **Driver:** `ardrv.sys`
- **Device:** `\\.\ardrv` (reachable from user mode by non-administrative callers)
- **IOCTL handler:** `0x2420031`

## Technical Details

The driver registers a device object and dispatch routines that handle device I/O control requests from user mode. IOCTL `0x2420031` reaches a process-termination code path that acts on a target identifier supplied directly in the request.

This handler implements three distinct termination strategies:

1. **Memory corruption of the target's address space** — the routine attaches to the target process context via `KeAttachProcess` and overwrites a large region (approximately 16 MB) of its memory with `0xCC`, destabilizing or crashing the process.
2. **Job object termination** — the target is associated with a job object that is then terminated, killing the process together with its child process tree.
3. **Direct process termination** — a standard `ZwTerminateProcess` call against the target.

The core security defect is the **absence of any authorization or safety checks** before these actions are taken. Specifically, the handler does not verify:

- the **privilege level of the calling process** (no token / integrity-level check),
- the **protection status of the target** (Protected Process / Protected Process Light, i.e. PP/PPL), or
- whether the target is a **critical system process** whose termination destabilizes the OS.

Because the device object is reachable by standard (non-administrative) users, this turns a signed, legitimately distributed driver into a local primitive for terminating arbitrary processes.

## Impact

An unprivileged local attacker can:

- **Disable endpoint security software** (EDR/AV agents, monitoring services) by terminating their processes, weakening the host's defensive posture ahead of further activity.
- **Cause denial of service** by terminating critical processes, potentially crashing the system.
- **Support anti-forensic workflows** by killing logging, telemetry, or response tooling.

This class of issue is characteristic of "Bring Your Own Vulnerable Driver" (BYOVD) abuse: because `ardrv.sys` is a validly signed driver, it may be loaded on systems where the vendor software is not otherwise present, extending the impact beyond hosts that legitimately run AppRemover.

## Additional Observations

During analysis, the same driver was observed to expose further IOCTL handlers that appear to provide additional sensitive primitives:

| IOCTL | Observed Capability |
|---|---|
| `0x242002D` | Arbitrary registry writes |
| `0x2420035` / `0x2420039` | Hardware port I/O (read/write) |
| `0x242003D` | Forced file deletion |

These are noted for completeness. Their handling under the CVE program is being coordinated separately with the CVE Assignment Team and may be tracked under distinct identifiers.

> **Note:** No proof-of-concept exploit code is published in this advisory. The technical description is intentionally limited to what is necessary to understand and remediate the issue. PoC material may be released at a later date once coordination is complete.

## Recommendations

**For defenders / system owners:**

- Treat `ardrv.sys` (v2017.10.02.1551 and earlier) as a vulnerable driver. Where the AppRemover functionality is not required, ensure the driver is not present or loadable.
- Apply or expand **vulnerable driver blocklisting** (e.g. Microsoft's recommended driver block rules / HVCI-enforced blocklists) to prevent the affected driver version from loading.
- Monitor for unexpected loading of `ardrv.sys` on systems that do not legitimately run OPSWAT AppRemover.

**For the vendor:**

- Restrict access to the device object so that only appropriately privileged callers can issue control requests.
- Enforce authorization checks in the IOCTL dispatch path (caller integrity/privilege validation).
- Reject termination requests targeting protected (PP/PPL) and critical system processes.

## Disclosure Timeline

| Date | Event |
|---|---|
| 2026-02-25 | CVE request submitted to the CVE Assignment Team |
| 2026-06-16 | CVE-2026-36425 assigned |
| 2026-06-17 | Public advisory published (this document) |


## References

- CVE Record: https://vulners.com/cve/CVE-2026-36425
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-36425

## Credit

Discovered and reported by **Jehad Abudagga**
- X / Twitter: [@j3h4ck](https://x.com/j3h4ck)
- Medium: [@jehadbudagga](https://medium.com/@jehadbudagga)