CVE-2026-23762: VB-Audio Voicemeeter Driver Local DoS via MmMapLockedPagesSpecifyCache

CVE-2026-23762: VB-Audio Voicemeeter & Matrix Drivers DoS via MmMapLockedPagesSpecifyCache CVSS Score: 6.9 CVSS Severity: Medium Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CWE ID: CWE-755 Improper Handling of Exceptional Conditions Vulnerability Description VB-Audio Voicemeeter, Voicemeeter Banana, and Voicemeeter Potato (versions ending in 1.1.1.9, 2.1.1.9, and 3.1.1.9 and earlier, respectively), as well as VB-Audio Matrix and Matrix Coconut (versions ending in 1.0.2.2 and 2.0.2.2 and earlier, respectively), contain a vulnerability in their virtual audio drivers (vbvoicemeetervaio64.sys, vbmatrixvaio64.sys, vbaudio_vmauxvaio.sys, vbaudio_vmvaio.sys, and vbaudio_vmvaio3.sys). The drivers map non-paged pool memory into user space via MmMapLockedPagesSpecifyCache using UserMode access without proper exception handling. If the mapping fails, such as when a process has exhausted available virtual address space, MmMapLockedPagesSpecifyCache raises an exception that is not caught, causing a kernel crash (BSOD), typically SYSTEM_SERVICE_EXCEPTION with STATUS_NO_MEMORY. This flaw allows a local unprivileged user to trigger a denial-of-service on affected Windows systems. Affected Products Tested Environments Windows 11, Version 10.0.26100 Build 26100 Windows 10, Version 10.0.19045 Build 19045 Windows 7, Version 6.1.7601 Service Pack 1 Build 7601 Technical Details A handle to the driver must be created by using CreateFileA with dwFlagsAndAttributes of 0x800. The driver checks this value specifically to recognize Voicemeeter / Matrix opening the handle. In the MajorFunction[IRP_MJ_DEVICE_CONTROL] handler function, the driver maps non-paged pool kernel memory allocated with ExAllocatePool2 / ExAllocatePoolWithTag into user space with MmMapLockedPagesSpecifyCache with IOCTL 0x222054 (vbvoicemeetervaio64_win10.sys and vbmatrixvaio64_win10.sys), IOCTL 0x222044 (vbaudio_vmauxvaio.sys, vbaudio_vmvaio.sys and vbaudio_vmvaio3.sys) and IOCTL 0x222060 (vbmatrixvaio64*_win10.sys). No exception handling is performed by the driver for calls to MmMapLockedPagesSpecifyCache. This violates Microsoft driver development guidelines. How to Reproduce 1. Install Windows 11 in a VM. 2. Download and install one of the products listed above. 3. Compile the PoC code using latest MSVC 32bit. 4. Run the PoC executable. Screenshots IDA decompilation of the IOCTL handler function in vbvoicemeetervaio64_win10.sys

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2026-23762: VB-Audio Voicemeeter Driver Local DoS via MmMapLockedPagesSpecifyCache

More from this source