WinFlash Driver Permissions Issue
Description
A Phoenix WinFlash kernel driver IOCTL lacks access control, allowing non-admin users to escalate privileges and modify system firmware.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A Phoenix WinFlash kernel driver IOCTL lacks access control, allowing non-admin users to escalate privileges and modify system firmware.
Vulnerability
The vulnerability resides in the TdkLib64.sys kernel driver distributed as part of the Phoenix WinFlash Driver, prior to version 4.5.0.0. The driver exposes an IOCTL interface with insufficient access control (CWE-782). A non-privileged user can send a specially crafted IOCTL request to the driver, which performs operations without proper privilege checks [1], [2].
Exploitation
An attacker must be able to execute code on the target Windows system, though no administrator privileges are required. By sending a specific IOCTL request to the vulnerable driver, the attacker can perform I/O operations to any hardware port or physical address. The driver is reachable from user mode because it does not validate the caller's privilege level. No user interaction beyond launching the malicious application is needed [2], [3].
Impact
Successful exploitation allows an attacker without administrator privileges to read, erase, or alter the system firmware. This can lead to permanent denial of service, bootkit installation, or privilege escalation to kernel level, enabling full control of the system [1], [2], [3].
Mitigation
Phoenix Technologies released a patched driver in June 2023. All WinFlash Driver versions newer than 4.5.0.0 contain the fix. Users should update to version 4.5.0.0 or later. If the driver is from a deprecated product, organizations should consider removing the driver or blocking it with HVCI (Hypervisor-Protected Code Integrity) policies where possible [2], [3].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<4.5.0.0+ 1 more
- (no CPE)range: <4.5.0.0
- (no CPE)range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The TdkLib64.sys driver lacks privilege checks on IOCTL requests, allowing any user who can format the encoded IOCTL data to execute firmware operations."
Attack vector
An unprivileged user on Windows can send specially crafted IOCTL requests to the TdkLib64.sys driver. The driver decodes the IOCTL data using its unique byte map table and validates the header values; if the data format is correct, the IOCTL handler executes without checking the caller's privilege level [ref_id=1]. This allows the attacker to perform arbitrary firmware read/write operations, leading to privilege escalation.
Affected code
The vulnerability resides in the TdkLib64.sys kernel driver. The driver implements a unique buffer encoding scheme for IOCTL requests: it decodes incoming IOCTL data using a byte map table, validates header values, executes the handler, and then re-encodes the result. Non-privileged users can send IOCTL requests if they format the data correctly, bypassing any access control.
What the fix does
The advisory does not include a published patch. The vendor (Phoenix Technologies) released WinFlash Driver version 4.5.0.0, which presumably adds proper access control checks to the IOCTL handler in TdkLib64.sys. Without the patch diff, the exact changes are unknown, but the fix likely validates that the calling process has the required privilege (e.g., SE_LOAD_DRIVER_PRIVILEGE) before processing IOCTL requests, similar to the cpuz.sys example described in [ref_id=1].
Preconditions
- configThe vulnerable TdkLib64.sys driver must be loaded on the system.
- inputThe attacker must be able to send IOCTL requests to the driver device (no administrative privileges required).
Generated on Jun 12, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.