CVE-2026-14960

Summary

Pegatron Tdelo64.sys improperly exposes privileged hardware access functionality through the \\.\TdeIo device interface. IOCTL handlers including TDE_IOCTL_INDEXIO_READ and TDE_IOCTL_INDEXIO_WRITE permit unprivileged user-mode callers to perform arbitrary hardware I/O port reads and writes without authorization checks. A local attacker can abuse this functionality to manipulate hardware registers, tamper with firmware-related interfaces, cause system instability, or establish persistent low-level compromise.

Affected Software

VendorProductVersion RangeStatus
Pegatron Corp.Tdelo64.sys02-17-2025 <= 02-17-2025affected

Weaknesses

  • CWE-284 Improper Access Control
  • CWE-668 Exposure of Resource to Wrong Sphere
  • CWE-269 Improper Privilege Management

References