CVE-2021-47789 Overview
CVE-2021-47789 is a buffer overrun vulnerability (CWE-121: Stack-based Buffer Overflow) in the Yenkee Hornet Gaming Mouse driver GM312Fltr.sys. This vulnerability allows local attackers to crash the system by sending oversized input through the driver interface. The attack can be executed by sending a 2000-byte buffer through DeviceIoControl to trigger a kernel-level system crash, resulting in a denial of service condition.
Critical Impact
Local attackers with low privileges can exploit this kernel driver vulnerability to cause system crashes and denial of service by sending oversized buffers through DeviceIoControl calls.
Affected Products
- Yenkee Hornet Gaming Mouse Driver (GM312Fltr.sys)
Discovery Timeline
- 2026-01-16 - CVE-2021-47789 published to NVD
- 2026-01-16 - Last updated in NVD database
Technical Details for CVE-2021-47789
Vulnerability Analysis
The vulnerability exists within the GM312Fltr.sys kernel driver used by the Yenkee Hornet Gaming Mouse. This driver fails to properly validate the size of input buffers received through DeviceIoControl system calls. When an attacker sends a specially crafted buffer exceeding expected boundaries (approximately 2000 bytes), the driver writes beyond allocated memory regions, triggering a stack-based buffer overflow at the kernel level.
Since this vulnerability operates at the kernel level, successful exploitation results in a system crash (Blue Screen of Death) rather than potential code execution. The local attack vector requires the attacker to have some level of access to the target system, but only low privileges are needed to interact with the vulnerable driver interface.
Root Cause
The root cause of this vulnerability is inadequate input validation in the GM312Fltr.sys driver when processing IOCTL requests. The driver does not properly verify buffer size boundaries before copying user-supplied data into fixed-size kernel buffers, leading to a classic stack-based buffer overflow condition (CWE-121).
Attack Vector
The attack requires local access to the system where the Yenkee Hornet Gaming Mouse driver is installed. An attacker can exploit this vulnerability by opening a handle to the vulnerable device driver and sending a specially crafted IOCTL request with an oversized buffer (2000 bytes or more). The DeviceIoControl Windows API is used to communicate with the driver, and the malformed input causes the kernel driver to overflow its internal buffers, resulting in a system crash.
The attack can be weaponized through malware running on a compromised system or by a malicious local user to cause denial of service. Technical details and proof-of-concept code are available through the Exploit-DB #50311 and GitHub Kernel Driver Bugs repository.
Detection Methods for CVE-2021-47789
Indicators of Compromise
- Unexpected system crashes (BSOD) on systems with Yenkee Hornet Gaming Mouse drivers installed
- Crash dump analysis showing faults originating from GM312Fltr.sys driver
- Event log entries indicating driver-related kernel exceptions
Detection Strategies
- Monitor for applications making suspicious DeviceIoControl calls to the GM312Fltr.sys driver
- Implement endpoint detection rules to identify processes attempting to interact with gaming peripheral drivers in unusual ways
- Deploy kernel-level monitoring to detect buffer overflow patterns in driver communications
Monitoring Recommendations
- Enable crash dump collection and analyze any BSOD events for GM312Fltr.sys involvement
- Configure SentinelOne agents to monitor for driver-related exploitation attempts
- Audit installed drivers and identify systems running vulnerable versions of the Yenkee gaming mouse driver
How to Mitigate CVE-2021-47789
Immediate Actions Required
- Inventory all systems with Yenkee Hornet Gaming Mouse drivers installed
- Consider removing or disabling the GM312Fltr.sys driver if not essential to operations
- Restrict local user access on sensitive systems to reduce attack surface
- Monitor the Yenkee Official Website for driver updates
Patch Information
As of the last update to this vulnerability record, no official vendor patch has been publicly documented. Organizations should monitor Yenkee's official channels for driver updates that address this buffer overflow vulnerability. The VulnCheck advisory provides additional technical context for this vulnerability.
Workarounds
- Remove or uninstall the GM312Fltr.sys driver from systems where the gaming mouse functionality is not required
- Implement application whitelisting to prevent unauthorized programs from interacting with device drivers
- Restrict local user privileges to minimize the risk of exploitation by low-privilege attackers
- Consider using alternative gaming peripherals that do not require this vulnerable driver
# Check if vulnerable driver is installed
dir C:\Windows\System32\drivers\GM312Fltr.sys
# If present and not needed, disable the driver (requires Administrator)
sc config GM312Fltr start= disabled
sc stop GM312Fltr
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
