CVE-2026-20767 Overview
CVE-2026-20767 is an improper input validation vulnerability [CWE-20] affecting Intel QuickAssist Technology (QAT) software drivers for Windows prior to version 1.13. The flaw resides within Ring 3 user-mode application processing and allows an authenticated local attacker to escalate privileges on the host. Exploitation requires only low-complexity local access combined with valid authentication, and the attacker needs no special internal knowledge or user interaction. Successful exploitation impacts confidentiality, integrity, and availability of the vulnerable system.
Critical Impact
A local authenticated user can escalate privileges on systems running vulnerable Intel QAT drivers, gaining high-impact control over confidentiality, integrity, and availability.
Affected Products
- Intel QuickAssist Technology (QAT) software drivers for Windows before version 1.13
- Windows hosts deploying Intel QAT for cryptographic and compression acceleration
- Server and workstation systems running affected Intel QAT driver builds
Discovery Timeline
- 2026-05-12 - CVE-2026-20767 published to NVD
- 2026-05-15 - Last updated in NVD database
Technical Details for CVE-2026-20767
Vulnerability Analysis
The vulnerability stems from improper input validation within Ring 3 user-application components of the Intel QAT driver stack on Windows. User applications interact with the QAT driver through defined interfaces that pass parameters into privileged code paths. When the driver fails to fully validate these inputs, an authenticated local process can supply crafted values that the driver subsequently acts upon with elevated trust.
The weakness aligns with CWE-20, Improper Input Validation. Intel classifies the impact as escalation of privilege originating from unprivileged software with an authenticated user context. Because the attack surface is local and the complexity is low, an adversary already holding a foothold on the host can reliably target the driver to break out of standard user privileges.
Root Cause
The root cause is missing or insufficient validation of inputs accepted from user-mode callers before those inputs are used by trusted driver logic. Driver interfaces that do not enforce strict bounds, type, or state checks on caller-supplied data create a path for privilege boundary violations. Intel addressed the defect in QAT driver version 1.13.
Attack Vector
Exploitation requires local access with valid user authentication. An attacker running unprivileged code on the host issues crafted requests to the vulnerable QAT driver interfaces. Because no user interaction is required and the attack complexity is low, post-foothold privilege escalation is straightforward. The vulnerability does not require special internal knowledge of the target system.
No public proof-of-concept exploit is currently available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS score is 0.02%, indicating low predicted near-term exploitation in the wild.
A sanitized exploit example is not available. Refer to the Intel Security Advisory SA-01387 for vendor technical details.
Detection Methods for CVE-2026-20767
Indicators of Compromise
- Presence of Intel QAT Windows driver versions earlier than 1.13 on managed endpoints and servers
- Unexpected process creations or token elevations originating from processes that opened handles to QAT driver device objects
- New or unsigned binaries running with SYSTEM privileges shortly after user-mode QAT API calls
Detection Strategies
- Inventory installed Intel QAT driver versions using Windows driver query tools and compare against the fixed version 1.13
- Monitor process lineage for non-administrative processes that subsequently spawn elevated children after interacting with QAT device interfaces
- Correlate driver IOCTL activity with privilege changes on the host to identify abuse of the user-to-kernel boundary
Monitoring Recommendations
- Enable Windows Defender Application Control or driver block list policies to alert on outdated QAT drivers
- Forward Sysmon process creation, image load, and token elevation events to a central analytics platform for correlation
- Track local privilege escalation patterns on hosts running cryptographic acceleration workloads, where QAT drivers are most common
How to Mitigate CVE-2026-20767
Immediate Actions Required
- Update the Intel QAT software driver for Windows to version 1.13 or later on all affected systems
- Restrict local interactive and remote desktop access on systems running QAT drivers to trusted administrators only
- Audit local accounts and remove unnecessary user authentication paths that could be abused to reach the local attack vector
Patch Information
Intel has released a fixed version of the QuickAssist Technology driver. Administrators should deploy Intel QAT software driver version 1.13 or later for Windows. Full vendor guidance is available in the Intel Security Advisory SA-01387.
Workarounds
- Disable or uninstall the Intel QAT driver on Windows hosts where cryptographic or compression acceleration is not required
- Apply least-privilege controls and application allowlisting to limit which local processes can call into the QAT driver
- Segment systems requiring QAT acceleration away from general-purpose user workloads to reduce local attack exposure
# Query installed Intel QAT driver version on Windows (PowerShell)
Get-WmiObject Win32_PnPSignedDriver |
Where-Object { $_.DeviceName -like "*QuickAssist*" } |
Select-Object DeviceName, DriverVersion, Manufacturer
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
