FKIE_CVE-2026-23762

Vulnerability from fkie_nvd - Published: 2026-01-22 17:16 - Updated: 2026-01-26 15:04
Severity ?
6.9 (Medium) - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Summary
VB-Audio Voicemeeter, Voicemeeter Banana, and Voicemeeter Potato (versions ending in 1.1.1.9, 2.1.1.9, and 3.1.1.9 and earlier, respectively), as well as VB-Audio Matrix and Matrix Coconut (versions ending in 1.0.2.2 and 2.0.2.2 and earlier, respectively), contain a vulnerability in their virtual audio drivers (vbvoicemeetervaio64*.sys, vbmatrixvaio64*.sys, vbaudio_vmauxvaio*.sys, vbaudio_vmvaio*.sys, and vbaudio_vmvaio3*.sys). The drivers map non-paged pool memory into user space via MmMapLockedPagesSpecifyCache using UserMode access without proper exception handling. If the mapping fails, such as when a process has exhausted available virtual address space, MmMapLockedPagesSpecifyCache raises an exception that is not caught, causing a kernel crash (BSoD), typically SYSTEM_SERVICE_EXCEPTION with STATUS_NO_MEMORY. This flaw allows a local unprivileged user to trigger a denial-of-service on affected Windows systems.
References
disclosure@vulncheck.comhttps://forum.vb-audio.com/viewtopic.php?p=7527#p7527
disclosure@vulncheck.comhttps://forum.vb-audio.com/viewtopic.php?p=7574#p7574
disclosure@vulncheck.comhttps://github.com/emkaix/security-research/tree/main/CVE-2026-23762
disclosure@vulncheck.comhttps://vb-audio.com/
disclosure@vulncheck.comhttps://www.vulncheck.com/advisories/vb-audio-voicemeeter-and-matrix-drivers-dos-via-mmmaplockedpagesspecifycache
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "VB-Audio Voicemeeter, Voicemeeter Banana, and Voicemeeter Potato (versions ending in 1.1.1.9, 2.1.1.9, and 3.1.1.9 and earlier, respectively), as well as VB-Audio Matrix and Matrix Coconut (versions ending in 1.0.2.2 and 2.0.2.2 and earlier, respectively), contain a vulnerability in their virtual audio drivers (vbvoicemeetervaio64*.sys, vbmatrixvaio64*.sys, vbaudio_vmauxvaio*.sys, vbaudio_vmvaio*.sys, and vbaudio_vmvaio3*.sys). The drivers map non-paged pool memory into user space via MmMapLockedPagesSpecifyCache using UserMode access without proper exception handling. If the mapping fails, such as when a process has exhausted available virtual address space, MmMapLockedPagesSpecifyCache raises an exception that is not caught, causing a kernel crash (BSoD), typically SYSTEM_SERVICE_EXCEPTION with STATUS_NO_MEMORY. This flaw allows a local unprivileged user to trigger a denial-of-service on affected Windows systems."
    },
    {
      "lang": "es",
      "value": "VB-Audio Voicemeeter, Voicemeeter Banana y Voicemeeter Potato (versiones que terminan en 1.1.1.9, 2.1.1.9 y 3.1.1.9 y anteriores, respectivamente), as\u00ed como VB-Audio Matrix y Matrix Coconut (versiones que terminan en 1.0.2.2 y 2.0.2.2 y anteriores, respectivamente), contienen una vulnerabilidad en sus controladores de audio virtuales (vbvoicemeetervaio64*.sys, vbmatrixvaio64*.sys, vbaudio_vmauxvaio*.sys, vbaudio_vmvaio*.sys y vbaudio_vmvaio3*.sys). Los controladores mapean memoria del pool no paginado en el espacio de usuario a trav\u00e9s de MmMapLockedPagesSpecifyCache utilizando acceso en modo usuario sin un manejo adecuado de excepciones. Si el mapeo falla, como cuando un proceso ha agotado el espacio de direcciones virtual disponible, MmMapLockedPagesSpecifyCache genera una excepci\u00f3n que no es capturada, causando un fallo del kernel (BSoD), t\u00edpicamente SYSTEM_SERVICE_EXCEPTION con STATUS_NO_MEMORY. Esta falla permite a un usuario local sin privilegios activar una denegaci\u00f3n de servicio en sistemas Windows afectados."
    }
  ],
  "id": "CVE-2026-23762",
  "lastModified": "2026-01-26T15:04:14.850",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "LOCAL",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 6.9,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "disclosure@vulncheck.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-22T17:16:37.480",
  "references": [
    {
      "source": "disclosure@vulncheck.com",
      "url": "https://forum.vb-audio.com/viewtopic.php?p=7527#p7527"
    },
    {
      "source": "disclosure@vulncheck.com",
      "url": "https://forum.vb-audio.com/viewtopic.php?p=7574#p7574"
    },
    {
      "source": "disclosure@vulncheck.com",
      "url": "https://github.com/emkaix/security-research/tree/main/CVE-2026-23762"
    },
    {
      "source": "disclosure@vulncheck.com",
      "url": "https://vb-audio.com/"
    },
    {
      "source": "disclosure@vulncheck.com",
      "url": "https://www.vulncheck.com/advisories/vb-audio-voicemeeter-and-matrix-drivers-dos-via-mmmaplockedpagesspecifycache"
    }
  ],
  "sourceIdentifier": "disclosure@vulncheck.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-755"
        }
      ],
      "source": "disclosure@vulncheck.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.