CVE-2021-47786 Overview
CVE-2021-47786 is an out-of-bounds write vulnerability (CWE-787) affecting the Redragon Gaming Mouse kernel driver. This kernel-level vulnerability allows local attackers to trigger a denial of service condition by sending malformed IOCTL requests to the REDRAGON_MOUSE device. Attackers can craft a 2000-byte buffer with specific byte patterns that causes the kernel driver to crash, resulting in system instability or a complete system failure.
Critical Impact
Local attackers with low privileges can crash the kernel driver, causing denial of service on affected Windows systems running vulnerable Redragon Gaming Mouse drivers.
Affected Products
- Redragon Gaming Mouse Driver (REDRAGONMOUSE.sys)
- Windows systems with Redragon gaming mouse software installed
Discovery Timeline
- 2026-01-16 - CVE-2021-47786 published to NVD
- 2026-01-16 - Last updated in NVD database
Technical Details for CVE-2021-47786
Vulnerability Analysis
This vulnerability exists in the Redragon Gaming Mouse kernel driver, specifically in how it processes IOCTL (Input/Output Control) requests. The driver fails to properly validate the size and content of input buffers before processing them, leading to an out-of-bounds write condition. When a malicious local user sends a specially crafted IOCTL request with a 2000-byte buffer containing specific byte patterns to the REDRAGON_MOUSE device, the driver writes data beyond the intended memory boundaries.
The exploitation requires local access and low privileges, making this an attack that could be leveraged by malware or malicious local users. While this vulnerability does not allow for code execution or information disclosure, the denial of service impact can disrupt system operations and potentially cause data loss if the system crashes during critical operations.
Root Cause
The root cause of CVE-2021-47786 is improper input validation in the kernel driver's IOCTL handler. The REDRAGONMOUSE.sys driver does not adequately verify the bounds of user-supplied input buffers before performing memory operations. This lack of boundary checking allows attackers to supply oversized or malformed data that triggers an out-of-bounds write condition, corrupting kernel memory and causing a system crash.
Attack Vector
The attack vector is local, requiring the attacker to have authenticated access to the target system. The attacker must be able to open a handle to the REDRAGON_MOUSE device and send IOCTL requests. The exploitation process involves:
- Opening a handle to the vulnerable device (\\.\REDRAGON_MOUSE)
- Crafting a malicious 2000-byte buffer with specific byte patterns
- Sending the crafted buffer via a DeviceIoControl call with a specific IOCTL code
- The driver processes the malformed input without proper validation
- An out-of-bounds write occurs, causing kernel memory corruption
- The system crashes or becomes unstable
For technical details and proof-of-concept information, refer to the GitHub Kernel Driver Bugs repository and Exploit-DB #50322.
Detection Methods for CVE-2021-47786
Indicators of Compromise
- Unexpected system crashes or blue screens (BSOD) associated with REDRAGONMOUSE.sys
- Crash dumps indicating memory corruption in the Redragon driver namespace
- Unusual IOCTL request patterns to the REDRAGON_MOUSE device
- Evidence of DeviceIoControl calls with large buffers targeting gaming peripheral drivers
Detection Strategies
- Monitor for system crash events (Event ID 1001, BugCheck) mentioning REDRAGONMOUSE.sys in crash dump analysis
- Deploy endpoint detection rules to identify suspicious IOCTL requests to \\.\REDRAGON_MOUSE device
- Use kernel driver integrity monitoring to detect exploitation attempts against vulnerable drivers
- Implement application whitelisting to prevent unauthorized processes from interacting with peripheral device drivers
Monitoring Recommendations
- Enable Windows Error Reporting and crash dump collection to capture driver crash events
- Monitor for repeated system instability on endpoints with Redragon gaming peripherals installed
- Use SentinelOne Singularity platform to detect kernel-level anomalies and driver exploitation attempts
- Review driver installation logs for outdated or vulnerable versions of Redragon software
How to Mitigate CVE-2021-47786
Immediate Actions Required
- Audit systems for the presence of vulnerable Redragon Gaming Mouse drivers
- Consider temporarily removing or disabling the Redragon driver if not critical to operations
- Restrict device access permissions to limit which users can send IOCTL requests
- Implement endpoint protection solutions capable of detecting kernel driver exploitation
Patch Information
Check the Redragon Official Website for updated driver versions that address this vulnerability. Review the Vulncheck Advisory for additional remediation guidance. Organizations should prioritize driver updates on systems where gaming peripherals are used in enterprise environments.
Workarounds
- Remove or disable the vulnerable REDRAGONMOUSE.sys driver if it is not required for operations
- Restrict local user access to systems with vulnerable drivers to reduce the attack surface
- Use Windows Device Installation policies to prevent installation of unauthorized or vulnerable drivers
- Deploy endpoint protection that monitors kernel driver activity and can block malicious IOCTL requests
# Check for presence of vulnerable driver
sc query REDRAGONMOUSE
# If present and not needed, disable the driver
sc config REDRAGONMOUSE start= disabled
# Stop the driver service
sc stop REDRAGONMOUSE
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
