CISA reports SignalRGB SignalIo.sys IOCTL flaws and fix
The SignalRGB kernel driver SignalIo.sys contains vulnerabilities involving improper access control and unsafe memory handling. The issues include an overly permissive device object access setup that enables user-mode processes to reach privileged IOCTL functionality, and multiple IOCTL handlers that can dereference a NULL pointer and crash the kernel.
Two vulnerabilities are identified. CVE-2026-8049 concerns the \\.\SignalIo device object, which is created without an explicit SDDL security descriptor and without FILE_DEVICE_SECURE_OPEN, resulting in overly permissive default access control that allows any authenticated local user to obtain a handle to the device and issue privileged IOCTLs. CVE-2026-8050 involves seven of sixteen IOCTL handlers that dereference the SystemBuffer pointer without verifying it is non-NULL; sending an IOCTL with an empty input buffer causes a NULL pointer dereference and a kernel crash. The advisory states that SignalRGB’s affected driver behavior is addressed in the 1.3.7.0 driver release.
Because of the device’s insufficient access control, user-mode interaction with privileged IOCTL interfaces and sensitive driver functionality is possible, including read/write access to the PCI configuration space of system devices. Separately, an authenticated local attacker can trigger repeated kernel crashes by accessing the \\.\SignalIo device and sending NULL input buffers to any of the seven vulnerable IOCTLs.
SignalRGB remediated these vulnerabilities in the recent 1.3.7.0 driver release. The guidance provided also says organizations should update and/or block the previous vulnerable driver version where possible, and implement mitigations designed to reduce exposure to BYOVD attacks, including restricting administrative privileges, enforcing Microsoft’s recommended driver block rules, and enabling protections such as Windows Defender Application Control (WDAC) or an equivalent EDR solution for the environment.
The advisory credits Shravan Kumar Sheri for researching and reporting the vulnerability and SignalRGB for prompt engagement and coordination, and it notes that the document was written by Molly Jaconski. It also lists CVE-2026-8050 and CVE-2026-8049 with a public date of 2026-06-17 and a document revision of 1.