CISA issues advisory on Safetica kernel driver IOCTL vulnerability

ProcessMonitorDriver.sys, the kernel driver in Safetica endpoint client x64, contains an IOCTL-related vulnerability that lets a local, unprivileged user request privileged termination of protected system processes, an action that can disable Safetica monitoring or cause service interruption.

Technical details include CVE-2026-0828 and affected Safetica endpoint client x64 versions 10.5.75.0 and 11.11.4.0; the vulnerable component is the ProcessMonitorDriver.sys kernel driver. The issue arises from a vulnerable Input/Output Control (IOCTL) path that user-mode software can invoke to send commands into kernel space so the driver can perform privileged actions such as terminating processes. The advisory notes improper input sanitization and user validation mechanisms that can be manipulated to produce privilege escalation and Denial of Service (DoS).

The advisory states that terminating Safetica's processes in Endpoint Detection And Response (EDR) and Antivirus Software (AV) can blind their clients' security monitoring on their machines. A threat actor can leverage this vulnerability and could use the IOCTL path to terminate processes repeatedly, which could lead to a DoS attack and render Safetica's systems unavailable.

At the time of publication, no vendor-supported fix is available for the vulnerability affecting Safetica Data Loss Prevention (DLP) kernel driver ProcessMonitorDriver.sys, which allows unprivileged users to abuse exposed IOCTL handlers to terminate arbitrary processes. The advisory indicates that until an official patch or guidance is provided by the vendor, mitigations are recommended.

The advisory recommends monitoring and detecting abuse of IOCTL calls targeting the driver by deploying kernel driver monitoring solutions like EDR or System Monitor–like telemetry (where supported) to identify unprivileged processes, detect unusual IOCTL patterns, and alert security teams when user-mode processes interact with the kernel driver. It also recommends restricting or blocking access to ProcessMonitorDriver.sys via Windows Group Policy or Application Control policies (WDAC/AppLocker) to prevent untrusted or non-administrative processes from loading or interacting with the driver, and notes these enforcement mechanisms can block untrusted or unsigned binaries from communicating with the kernel driver.

Aviz and Endace detail optimized traffic delivery to Always-On Packet Capture

Security IP Market Accelerates as OEM Demand for Integrated, Certification-Ready Components Surges

Cohesity introduces Sophos-powered next-generation malware scanning in Cohesity Data Cloud