Realtek Audio Service 1.0.0.55 Unquoted Service Path Privilege Escalation
Description
Realtek Audio Service 1.0.0.55 contains an unquoted service path vulnerability in RtkAudioService64.exe that allows local attackers to escalate privileges by injecting malicious code. Attackers can place executable files in the unquoted service path directory to execute arbitrary code with LocalSystem privileges during service startup or system reboot.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: =1.0.0.55
Patches
Vulnerability mechanics
Root cause
"The service binary path for RtkAudioService64.exe is not enclosed in quotes, causing Windows to interpret spaces in the path as separators and allowing an attacker to hijack execution by planting a malicious executable in an earlier directory component."
Attack vector
A local attacker with write access to the `C:\Program Files\Realtek\Audio\` directory can place a malicious executable named `HDA.exe` (or `Audio.exe`, `Realtek.exe`, etc.) in that path. When the service starts (either at boot or manually), Windows will interpret the unquoted path and attempt to execute the attacker's planted binary instead of the legitimate RtkAudioService64.exe. Because the service runs as LocalSystem, the injected code gains the highest Windows privilege level.
Affected code
The vulnerable component is the Realtek Audio Service (RtkAudioService64.exe) version 1.0.0.55. The service binary path is registered as `C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe` without surrounding quotes, which is the classic unquoted service path pattern.
What the fix does
The advisory does not provide a vendor patch. The remediation is to enclose the service binary path in double quotes (e.g., `"C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe"`) so that Windows treats the entire string as a single path and does not search for executables in intermediate directories. Without a patch from Realtek, users must manually correct the service path or apply appropriate access controls to prevent untrusted users from writing to the affected directories.
Preconditions
- authThe attacker must have local access to the Windows system and be able to write files into the `C:\Program Files\Realtek\Audio\` directory tree.
- configThe Realtek Audio Service must be configured with an unquoted binary path (default in version 1.0.0.55).
Generated on Jun 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- www.exploit-db.com/exploits/49015mitreexploit
- www.vulncheck.com/advisories/realtek-audio-service-unquoted-service-path-privilege-escalationmitrethird-party-advisory
- www.realtek.com/en/mitreproduct
News mentions
0No linked articles in our index yet.