VDB

CVE-2026-8049

CVE-2026-8049 PUBLISHED CVSS 5.3 MEDIUM

Reported by certcc · Published June 17, 2026

In SignalRGB versions prior to 1.3.7.0, the \\.\SignalIo device object is created without an explicit SDDL security descriptor and without FILE_DEVICE_SECURE_OPEN. This results in overly permissive default access control, allowing any authenticated local user to obtain a handle to the device and issue privileged IOCTLs.

Risk Scores

CVSS 3.1
5.3
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Affected Products

VendorProductVersions
SignalRGBSignalRGB kernel driver0
SignalRGBSignalRGB kernel driver0, 0

Timeline

  • Jun 17, 2026 CVE Published
  • Jun 18, 2026 EPSS Score
  • Jun 18, 2026 Coalition ESS Score
  • Jun 18, 2026 CVE Updated

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›