{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/msi-feature-manager/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-57851"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["MSI Feature Manager"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","vulnerability","windows","driver-vulnerability"],"_cs_type":"advisory","_cs_vendors":["MSI"],"content_html":"\u003cp\u003eA critical local privilege escalation (LPE) vulnerability, identified as CVE-2026-57851, has been discovered in the MSI Feature Manager software, specifically within its \u003ccode\u003eKernCoreLib64.sys\u003c/code\u003e kernel driver. This flaw enables any locally logged-on user to achieve SYSTEM-level privileges without requiring administrative credentials. The vulnerability stems from inadequately protected IOCTL handlers that grant direct access to arbitrary physical memory read/write operations and unrestricted I/O port access. Attackers can leverage these capabilities to directly interact with kernel objects, bypass Windows' Protected Process Light (PPL) mechanisms, disable installed security software, and manipulate kernel-mode callbacks, ultimately leading to a full compromise of the affected system. This vulnerability poses a significant risk to the integrity and security of systems running MSI Feature Manager, as it allows for complete control by a low-privileged local attacker.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eLocal User Execution\u003c/strong\u003e: A malicious application or script, executed by a standard local user on an affected Windows system, initiates the exploitation process.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDriver Interface Interaction\u003c/strong\u003e: The malicious code attempts to interact with the \u003ccode\u003eKernCoreLib64.sys\u003c/code\u003e kernel driver's exposed device interface.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eIOCTL Handler Access\u003c/strong\u003e: The attacker successfully opens a handle to the driver's device object and invokes specific, inadequately protected IOCTL (I/O Control) handlers.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eArbitrary Memory/I/O Operations\u003c/strong\u003e: Through these vulnerable IOCTL handlers, the driver grants the attacker arbitrary physical memory read/write access and unrestricted I/O port operations, typically reserved for kernel-mode processes.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eKernel Object Manipulation\u003c/strong\u003e: The attacker uses these powerful primitives to manipulate sensitive kernel objects, modify kernel-mode data structures, or tamper with critical system callbacks.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSecurity Feature Bypass\u003c/strong\u003e: Leveraging kernel manipulation, the attacker bypasses Windows security mechanisms, such as Protected Process Light (PPL), which normally safeguards critical system processes.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSecurity Software Disablement\u003c/strong\u003e: The attacker then utilizes their elevated kernel access to disable or tamper with installed endpoint security software, removing detection and prevention capabilities.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation\u003c/strong\u003e: With security measures bypassed and kernel control established, the attacker achieves SYSTEM-level privileges, gaining complete control over the compromised operating system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-57851 can lead to a complete compromise of an affected Windows system. Any local user, regardless of their default privileges, can elevate their access to SYSTEM, granting them full control over the operating system. This allows an attacker to install persistent malware, access or exfiltrate sensitive data, disable or tamper with security solutions, and establish backdoors. While no specific victim count or targeted sectors are mentioned, any organization or individual utilizing MSI Feature Manager on their Windows endpoints is susceptible, as the vulnerability is accessible to any locally authenticated user. The impact is severe, potentially leading to data breaches, system integrity loss, and further lateral movement within a compromised network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePrioritize patching for CVE-2026-57851 on all systems running MSI Feature Manager immediately as recommended by the vendor.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-07T17:24:50Z","date_published":"2026-07-07T17:24:50Z","id":"https://feed.craftedsignal.io/briefs/2026-07-msi-feature-manager-lpe/","summary":"A local privilege escalation vulnerability (CVE-2026-57851) exists in the MSI Feature Manager's KernCoreLib64.sys kernel driver that allows any local user to perform arbitrary physical memory read/write and unrestricted I/O port operations by accessing exposed IOCTL handlers without requiring administrator privileges, enabling manipulation of kernel objects, tampering with kernel-mode callbacks, bypassing Protected Process Light, and disabling security software.","title":"CVE-2026-57851 — MSI Feature Manager Kernel Driver Local Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2026-07-msi-feature-manager-lpe/"}],"language":"en","title":"CraftedSignal Threat Feed - MSI Feature Manager","version":"https://jsonfeed.org/version/1.1"}