CVE-2026-8501

Vulnerability

The PCTCore64.sys Windows kernel driver, part of the discontinued PC Tools Internet Security suite, contains an improper access control vulnerability. The driver creates a WDM device object named \.\PCTCoreDriver without applying a restrictive security descriptor, such as those defined via Security Descriptor Definition Language (SDDL) or the IoCreateDeviceSecure API [2], [3]. This configuration allows any user-mode process to open a handle to the device and interact with its IOCTL interface.

Exploitation

An attacker must have local access to the system to exploit this vulnerability. In a Bring Your Own Vulnerable Driver (BYOVD) scenario, an attacker can load the signed, vulnerable driver onto the target system [2]. Once loaded, the attacker can use standard Windows APIs to open a handle to \.\PCTCoreDriver and issue arbitrary IOCTL requests to the driver, bypassing standard user-mode restrictions [2].

Impact

Successful exploitation allows an unprivileged local attacker to perform sensitive, privileged operations within the kernel context. These operations include system-wide handle enumeration, cross-process handle manipulation, credential extraction from lsass.exe, and the forced termination of arbitrary processes, including those protected by Protected Process Light (PPL) [2].

Mitigation

The PC Tools Internet Security product line was discontinued in 2013 and is no longer maintained [2]. Users are advised to block the vulnerable driver using the Microsoft vulnerable driver blocklist to prevent it from being loaded on the system [1].