CVE-2026-23764

VB-Audio Voicemeeter, Voicemeeter Banana, and Voicemeeter Potato (versions ending in 1.1.1.9, 2.1.1.9, and 3.1.1.9 and earlier, respectively), as well as VB-Audio Matrix and Matrix Coconut (versions ending in 1.0.2.2 and 2.0.2.2 and earlier, respectively), contain a vulnerability in their virtual audio drivers (vbvoicemeetervaio64*.sys, vbmatrixvaio64*.sys, vbaudio_vmauxvaio*.sys, vbaudio_vmvaio*.sys, and vbaudio_vmvaio3*.sys). The drivers allocate non-paged pool and map it into user space, where a length value associated with the allocation is exposed and can be modified by an unprivileged local attacker. On subsequent IOCTL handling, the corrupted length is used directly as the IoAllocateMdl length argument without adequate integrity checks before building and mapping the MDL, which can cause a kernel crash (BSoD), typically PAGE_FAULT_IN_NONPAGED_AREA. This flaw allows a local user to trigger a denial-of-service on affected Windows systems.

VB-Audio Voicemeeter, Voicemeeter Banana, and Voicemeeter Potato (versions ending in 1.1.1.9, 2.1.1.9, and 3.1.1.9 and earlier, respectively), as well as VB-Audio Matrix and Matrix Coconut (versions ending in 1.0.2.2 and 2.0.2.2 and earlier, respectively), contain a vulnerability in their virtual audio drivers (vbvoicemeetervaio64*.sys, vbmatrixvaio64*.sys, vbaudio_vmauxvaio*.sys, vbaudio_vmvaio*.sys, and vbaudio_vmvaio3*.sys). The drivers allocate non-paged pool and map it into user space, where a length value associated with the allocation is exposed and can be modified by an unprivileged local attacker. On subsequent IOCTL handling, the corrupted length is used directly as the IoAllocateMdl length argument without adequate integrity checks before building and mapping the MDL, which can cause a kernel crash (BSoD), typically PAGE_FAULT_IN_NONPAGED_AREA. This flaw allows a local user to trigger a denial-of-service on affected Windows systems.

VB-Audio Voicemeeter, Voicemeeter Banana y Voicemeeter Potato (versiones que terminan en 1.1.1.9, 2.1.1.9 y 3.1.1.9 y anteriores, respectivamente), así como VB-Audio Matrix y Matrix Coconut (versiones que terminan en 1.0.2.2 y 2.0.2.2 y anteriores, respectivamente), contienen una vulnerabilidad en sus controladores de audio virtuales (vbvoicemeetervaio64*.sys, vbmatrixvaio64*.sys, vbaudio_vmauxvaio*.sys, vbaudio_vmvaio*.sys y vbaudio_vmvaio3*.sys). Los controladores asignan un grupo no paginado y lo mapean en el espacio de usuario, donde un valor de longitud asociado con la asignación está expuesto y puede ser modificado por un atacante local no privilegiado. En el manejo posterior de IOCTL, la longitud corrupta se utiliza directamente como el argumento de longitud de IoAllocateMdl sin comprobaciones de integridad adecuadas antes de construir y mapear el MDL, lo que puede causar un fallo del kernel (BSoD), típicamente PAGE_FAULT_IN_NONPAGED_AREA. Esta falla permite a un usuario local activar una denegación de servicio en sistemas Windows afectados.