VDB
CVE-2026-8049
CVE-2026-8049
PUBLISHED
CVSS 5.3 MEDIUM
Reported by certcc · Published June 17, 2026
In SignalRGB versions prior to 1.3.7.0, the \\.\SignalIo device object is created without an explicit SDDL security descriptor and without FILE_DEVICE_SECURE_OPEN. This results in overly permissive default access control, allowing any authenticated local user to obtain a handle to the device and issue privileged IOCTLs.
Risk Scores
CVSS 3.1
5.3
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| SignalRGB | SignalRGB kernel driver | 0 |
| SignalRGB | SignalRGB kernel driver | 0, 0 |
Timeline
- Jun 17, 2026 CVE Published
- Jun 18, 2026 EPSS Score
- Jun 18, 2026 Coalition ESS Score
- Jun 18, 2026 CVE Updated