CVE-2026-12193

Vulnerability

A heap-based buffer overflow vulnerability exists in the IOCtl_Handler function within the RevoDetector.sys driver of RevoUninstaller versions 2.5.x and 2.6.x (up to 2.6.8). The driver is loaded when the Revo Uninstaller Helper service is enabled. The overflow occurs in the Non-Paged pool when processing a specially crafted IOCTL request, leading to memory corruption.

Exploitation

Exploitation requires local access to the system and the RevoDetector.sys driver to be loaded (i.e., the Revo Uninstaller Helper must be enabled). An attacker sends a malicious IOCTL to the driver, triggering a Non-Paged pool overflow. This overflow allows the attacker to achieve arbitrary read and write primitives in kernel memory. Using these primitives, the attacker can steal the system token and escalate privileges to NT AUTHORITY\SYSTEM. The exploit is publicly available [1] but is noted to be unstable, with approximately a 90% success rate and a risk of system crash.

Impact

Successful exploitation grants the attacker local privilege escalation to SYSTEM level, providing full control over the affected Windows system. The attacker can execute arbitrary code with kernel privileges, install programs, view/change data, or create new accounts with full user rights.

Mitigation

The vendor has addressed this vulnerability in RevoUninstaller version 2.7.0. Users are strongly advised to upgrade to this version or later. No official workaround is available; however, disabling the Revo Uninstaller Helper service (which loads the vulnerable driver) may reduce exposure. The driver is currently signed and not on the Microsoft block list, so it could be used in a BYOVD (Bring Your Own Vulnerable Driver) attack scenario [1].