CVE-2026-8049

Summary

In SignalRGB versions prior to 1.3.7.0, the \.\SignalIo device object is created without an explicit SDDL security descriptor and without FILE_DEVICE_SECURE_OPEN. This results in overly permissive default access control, allowing any authenticated local user to obtain a handle to the device and issue privileged IOCTLs.

Affected Software

VendorProductVersion RangeStatus
SignalRGBSignalRGB kernel driver0 < 1.3.7.0affected

Weaknesses

  • CWE-284

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References