CISA issues Pegatron tdeio64.sys IOCTL privilege escalation update
Pegatron’s tdeio64.sys Windows Driver Model (WDM) driver contains an unprotected IOCTL dispatch routine that can be triggered through user-supplied requests. This privilege escalation vulnerability can allow an unprivileged local attacker to obtain NT AUTHORITY\SYSTEM privileges and compromise the affected system.
The issue involves the tdeio64.sys driver distributed by Pegatron Corporation, which provides low-level access to system I/O ports and hardware components and exposes the \\.\TdeIo device interface. Two CVEs are described: CVE-2026-14961 and CVE-2026-14960. For CVE-2026-14961, sending a crafted DeviceIoControl request enables abuse of the driver’s IOCTL dispatcher to perform arbitrary kernel memory reads and writes; this capability can overwrite the current process token with the SYSTEM process token, resulting in privilege escalation to NT AUTHORITY\SYSTEM. For CVE-2026-14960, the driver exposes IOCTLs that can interact directly with hardware I/O ports, and successful exploitation may manipulate hardware resources in ways that extend beyond normal operating system protections.
Successful exploitation provides arbitrary kernel read and write capabilities, enabling a complete compromise of the operating system. The advisory also describes the ability to elevate privileges to NT AUTHORITY\SYSTEM, bypass or disable endpoint security controls, extract credentials from protected processes such as lsass.exe, install persistent rootkits, manipulate kernel data structures, and issue low-level hardware I/O operations.
At the time of publication, no vendor-supported fix is available for the Pegatron tdeio64.sys kernel driver vulnerability. The stated mitigations are to disable or remove the vulnerable driver where it is not required, prevent untrusted users from loading or interacting with the driver, and implement solutions such as Windows Defender Application Control (WDAC) or Hypervisor-Protected Code Integrity (HVCI) to block known vulnerable drivers from loading where supported.
Thanks to Lucian Alexandru Necula for researching and reporting the vulnerability, and the document was written by Michael Bragg. The advisory lists CVE IDs CVE-2026-14961 and CVE-2026-14960, with public and first-published dates of 2026-07-15 and a last-updated time of 2026-07-15 17:09 UTC.