Reading view
VU#380058: SignalRGB kernel driver contains improper access control and IOCTL vulnerabilities
Overview
The SignalRGB kernel driver, SignalIo.sys, contains two vulnerabilities involving improper access control and unsafe memory handling. The device object is created with an overly permissive Discretionary Access Control List (DACL) that allows user-mode processes to access privileged hardware operations through input/output control (IOCTL) commands. Additionally, several IOCTL handlers are susceptible to NULL pointer dereference conditions, which further enables low-privilege users to trigger kernel crashes and cause Denial of Service (DoS). Version 1.3.7.0 of the SignalRGB driver remediates these vulnerabilities.
Description
SignalRGB is a Windows application used for RGB lighting control and hardware monitoring. Its kernel component, SignalIo.sys, provides the low-level interfaces required to access and interact with hardware resources.
The SignalIo.sys driver exposes privileged functionality intended for administrative or security operations, but the device object is created without a restrictive security descriptor. Specifically, the driver does not apply security best practices by using either Security Descriptor Definition Language (SDDL) or the IoCreateDeviceSecure API, thereby allowing unprivileged user-mode processes to open handles to the device and issue privileged IOCTL requests.
CVE-2026-8049 The \\.\SignalIo device object is created without an explicit SDDL security descriptor and without FILE_DEVICE_SECURE_OPEN. This results in overly permissive default access control, allowing any authenticated local user to obtain a handle to the device and issue privileged IOCTLs.
CVE-2026-8050 Seven of the sixteen IOCTL handlers dereference the SystemBuffer pointer without first verifying that it is non-NULL. Sending an IOCTL with an empty input buffer causes a NULL pointer dereference, resulting in a kernel crash.
Impact
The device's insufficient access control enables user-mode interaction with privileged IOCTL interfaces and sensitive driver functionality, including read/write access to the PCI configuration space of system devices. Additionally, an authenticated local attacker can trigger repeated kernel crashes by accessing the \\.\SignalIo device and sending NULL input buffers to any of the seven vulnerable IOCTLs.
Notably, the affected SignalRGB drivers already include custom kernel-enforced port whitelists to block I/O access to several high-risk ports, which helps to limit the scope of sensitive operations available through the IOCTL interface.
Solution
SignalRGB has remediated these vulnerabilities in the recent 1.3.7.0 driver release. Users and organizations should update and/or block the previous vulnerable driver version where possible and implement mitigations designed to reduce exposure to BYOVD attacks, including restricting administrative privileges, enforcing Microsoft's recommended driver block rules, and enabling protections such as Windows Defender Application Control (WDAC) or an equivalent EDR solution for your environment.
Acknowledgements
Thanks to Shravan Kumar Sheri for researching and reporting this vulnerability, and to SignalRGB for their prompt engagement and remediation efforts. This document was written by Molly Jaconski.
Vendor Information
Other Information
| CVE IDs: | CVE-2026-8050 CVE-2026-8049 |
| Date Public: | 2026-06-17 |
| Date First Published: | 2026-06-17 |
| Date Last Updated: | 2026-06-17 23:57 UTC |
| Document Revision: | 3 |
Google to use UK and EU user IP addresses for ad personalization
FortiBleed leak exposes Fortinet VPN credentials for 73,000 devices.
Why Account Takeovers Are Rising and How to Stop Them
India's Telegram ban hit the UAE too. Here's how to get around it
Microsoft confirms Office apps launch issues after June updates
CISA orders feds to patch max severity Joomla plugin flaw by Friday
Microsoft working on Defender patch for RoguePlanet zero-day
Kodak confirms data breach claimed by ShinyHunters extortion gang
OS command injection in RadiX AX6600 WiFi 6 Tri-Band Gaming Router
Malicious JetBrains Marketplace plugins steal AI API keys from developers
New Rokarolla Android malware targets 217 banking, crypto apps
Steam Workshop abused to spread malware via Wallpaper Engine app
UK to require ID or face scan before you can make social media accounts
GhostTree Attack Abused Recursive Windows Junctions to Hide Malware
FTC warns of record $3.5 billion losses to imposter scams in 2025
SEC Consult SA-20260615-1 :: Multiple Vulnerabilities in Wertheim SafeController Hardware for VAULT ROOMS (Safe Deposit Locker System β Microcontroller)
Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Jun 15
SEC Consult Vulnerability Lab Security Advisory < 20260615-1 >=======================================================================
title: Multiple Vulnerabilities
Β Β Β Β Β product: Wertheim SafeController Hardware for VAULT ROOMS
(Safe Deposit Locker System β Microcontroller)
vulnerable version: Controller 65000 - AssemblyVersion 6.11.8130.22319
Β Β Β Β Β Β Β Β Β Β Controller...
SEC Consult SA-20260615-0 :: Multiple Critical Vulnerabilities in Wertheim SafeController Software for VAULT ROOMS (Safe Deposit Locker System)
Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Jun 15
SEC Consult Vulnerability Lab Security Advisory < 20260615-0 >=======================================================================
title: Multiple Critical Vulnerabilities
product: Wertheim SafeController Software for VAULT ROOMS
(Safe Deposit Locker System)
vulnerable version: AssemblyVersion 6.15.8328.28014
fixed version: No information provided by vendor
CVE number:...
SEC Consult SA-20260610-0 :: Local Privilege Escalation in Slate Digital Connect (macOS)
Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Jun 15
SEC Consult Vulnerability Lab Security Advisory < 20260610-0 >=======================================================================
title: Local Privilege Escalation
product: Slate Digital Connect (macOS)
Β vulnerable version: 1.37.0
fixed version: -
CVE number: CVE-2026-24066, CVE-2026-24067
Β Β Β Β Β Β Β impact: high
homepage:...