CVE-2021-47786 Overview
CVE-2021-47786 affects the Redragon Gaming Mouse kernel driver (REDRAGONMOUSE.sys) used by multiple Redragon mouse product lines. The driver exposes a REDRAGON_MOUSE device interface that accepts I/O Control (IOCTL) requests from user-mode applications without sufficient input validation. A local attacker with low privileges can send a crafted 2000-byte buffer containing specific byte patterns to the device, triggering an out-of-bounds write [CWE-787] in kernel space. The result is a kernel driver crash and system-wide denial of service. The flaw impacts the firmware and driver components shipped with Redragon M725-lit, M617-lit, M910-ks, M801P-RGB, M602-ks, M914W-RGB, M816-Pro, M602A-RGB, M721, M602AW-RGB, M915RGB-WL, M712-RGB, M910-K, and BM-4091 devices.
Critical Impact
A local user can crash the Windows kernel and force a bugcheck (BSOD) by sending a malformed IOCTL to the REDRAGON_MOUSE device, disrupting endpoint availability.
Affected Products
- Redragon M725-lit, M617-lit, M910-ks, M801P-RGB mice and firmware
- Redragon M602-ks, M914W-RGB, M816-Pro, M602A-RGB, M721 mice and firmware
- Redragon M602AW-RGB, M915RGB-WL, M712-RGB, M910-K, BM-4091 mice and firmware
Discovery Timeline
- 2026-01-16 - CVE-2021-47786 published to NVD
- 2026-02-09 - Last updated in NVD database
Technical Details for CVE-2021-47786
Vulnerability Analysis
The Redragon Gaming Mouse driver registers a kernel device object named REDRAGON_MOUSE and exposes it to user-mode callers. User-mode code can open a handle to this device using a standard CreateFile call and issue DeviceIoControl requests against it. The driver's IOCTL dispatch routine fails to validate the size and content of the input buffer before processing it inside the kernel. When a caller submits a 2000-byte buffer populated with specific byte patterns, the driver performs an out-of-bounds memory write that corrupts kernel memory and triggers a bugcheck.
The issue is classified under [CWE-787] (Out-of-bounds Write). Because the dispatch logic runs at kernel privilege, even an unprivileged local user who can open the device handle can destabilize the operating system. Public proof-of-concept code is available through Exploit-DB #50322 and the Quadron Research Lab repository, demonstrating reliable kernel crashes against affected installations.
Root Cause
The driver does not enforce strict bounds checking on the InputBufferLength and buffer contents passed through the IOCTL interface. The dispatch routine assumes caller-controlled data is well-formed and writes beyond the bounds of an internal kernel buffer when the input matches a specific size and pattern. There is no Access Control List (ACL) restricting which user accounts may open the REDRAGON_MOUSE device, so any interactive local user can reach the vulnerable code path.
Attack Vector
Exploitation requires local code execution with low privileges on a Windows host that has the Redragon mouse software installed. The attacker opens the \\.\REDRAGON_MOUSE device, constructs a 2000-byte buffer containing the trigger pattern documented in the public PoC, and submits it through DeviceIoControl. The kernel driver processes the malformed request, performs an out-of-bounds write, and the system halts with a stop error. The vulnerability does not provide direct code execution or information disclosure — only availability impact — as reflected in the CVSS vector (VC:N/VI:N/VA:H).
The vulnerability mechanism is documented in the VulnCheck advisory and the public proof-of-concept; no synthetic exploitation code is reproduced here.
Detection Methods for CVE-2021-47786
Indicators of Compromise
- Presence of the Redragon mouse driver (REDRAGONMOUSE.sys or similar) loaded in kernel space on endpoints not requiring Redragon peripherals.
- Repeated Windows bugcheck events (Event ID 1001, BugcheckCode referencing the Redragon driver image) in the System event log.
- User-mode processes opening handles to the \\.\REDRAGON_MOUSE device followed shortly by a system crash or unexpected reboot.
Detection Strategies
- Inventory all endpoints for the Redragon mouse driver and the associated firmware versions listed in the affected products section.
- Hunt for DeviceIoControl calls targeting the REDRAGON_MOUSE device from non-Redragon-signed processes using endpoint telemetry.
- Correlate kernel crash dumps that name the Redragon driver as the faulting module with prior process execution from untrusted users.
Monitoring Recommendations
- Forward Windows kernel bugcheck events and minidump metadata to a centralized log platform for correlation.
- Alert on unexpected loading of third-party Human Interface Device (HID) drivers on servers, kiosks, and other systems where consumer peripherals are not authorized.
- Track new handle-open operations against named kernel device objects associated with consumer-grade peripherals.
How to Mitigate CVE-2021-47786
Immediate Actions Required
- Uninstall the Redragon mouse configuration software and remove the associated kernel driver from endpoints where it is not operationally required.
- Restrict local logon to trusted users on systems where the vulnerable driver must remain installed, since exploitation requires local access.
- Review the VulnCheck advisory and Quadron Research Lab disclosure for the latest vendor guidance.
Patch Information
No vendor advisory or patched firmware release is currently linked in the NVD entry for CVE-2021-47786. Organizations should monitor the Redragon Zone website for updated driver and firmware releases addressing this issue and apply any vendor-supplied updates as soon as they become available.
Workarounds
- Block load of the Redragon mouse driver using Windows Defender Application Control (WDAC) or AppLocker driver policies on managed endpoints.
- Add the vulnerable driver hash to the Microsoft Vulnerable Driver Blocklist if not already covered.
- Where the device must be used, limit it to workstations that do not host sensitive workloads, so a forced bugcheck has minimal operational impact.
# Example: query and remove the Redragon driver service on Windows
sc.exe query REDRAGONMOUSE
sc.exe stop REDRAGONMOUSE
sc.exe delete REDRAGONMOUSE
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
