CVE-2026-20905 Overview
CVE-2026-20905 affects Intel QuickAssist Technology (QAT) software drivers for Windows before version 2.6. The flaw stems from improper input validation [CWE-20] within Ring 3 user applications. An authenticated local attacker with unprivileged access can trigger a denial of service condition on the affected system.
The vulnerability requires local access and low attack complexity. Exploitation does not need user interaction or special internal knowledge. Intel published advisory INTEL-SA-01387 to address the issue. The primary impact targets system availability, with limited effects on confidentiality and integrity.
Critical Impact
Local authenticated attackers can cause high-impact denial of service against systems running vulnerable Intel QAT Windows drivers, disrupting cryptographic acceleration and compression workloads.
Affected Products
- Intel QuickAssist Technology (QAT) software drivers for Windows before version 2.6
- Systems leveraging Intel QAT for cryptographic and compression acceleration
- Windows hosts running QAT user-mode (Ring 3) components
Discovery Timeline
- 2026-05-12 - CVE-2026-20905 published to NVD
- 2026-05-15 - Last updated in NVD database
Technical Details for CVE-2026-20905
Vulnerability Analysis
The vulnerability resides in Intel QAT software drivers for Windows operating in Ring 3 user mode. The drivers fail to properly validate input received from user applications. An unprivileged authenticated user can submit malformed input to the driver interface and trigger a denial of service condition.
Intel QAT provides hardware-accelerated cryptographic and compression operations. When the user-mode driver components mishandle malformed parameters, the resulting failure disrupts services that depend on QAT acceleration. Workloads such as TLS termination, IPsec, and data compression can become unavailable.
The issue is categorized under [CWE-20] Improper Input Validation. The defect produces high availability impact with low confidentiality and integrity impact, and impacts remain confined to the vulnerable component rather than propagating to subsequent systems.
Root Cause
The root cause is missing or insufficient validation of user-supplied input within QAT user-mode driver code paths. Parameters reaching the driver are accepted without adequate boundary or type checks, allowing crafted requests to drive the component into an error state.
Attack Vector
The attack vector is local. An attacker must hold an authenticated low-privileged account on the target Windows system. From that context, the attacker invokes QAT driver interfaces with malformed input to crash or stall the service. No user interaction is required, and attack complexity is low.
No verified public proof-of-concept code is available. Refer to the Intel Security Advisory INTEL-SA-01387 for vendor-supplied technical details.
Detection Methods for CVE-2026-20905
Indicators of Compromise
- Unexpected crashes, restarts, or hangs of Intel QAT driver services on Windows endpoints
- Application errors from workloads depending on QAT-accelerated cryptography or compression
- Repeated invocation of QAT driver IOCTLs by non-administrative user processes
Detection Strategies
- Monitor Windows Event Log for driver fault, service crash, and WHEA events tied to QAT components
- Correlate process telemetry that shows low-privileged accounts opening handles to QAT device interfaces
- Baseline normal QAT request volumes and alert on sudden bursts of malformed or failing calls
Monitoring Recommendations
- Track driver version inventory to identify hosts running Intel QAT Windows drivers older than 2.6
- Forward Windows system and application logs to a centralized SIEM for anomaly analysis
- Alert on repeated denial of service patterns affecting cryptographic or compression services
How to Mitigate CVE-2026-20905
Immediate Actions Required
- Inventory Windows systems running Intel QAT software drivers and identify versions below 2.6
- Apply the updated Intel QAT Windows driver release referenced in advisory INTEL-SA-01387
- Restrict local logon rights and interactive access on hosts performing QAT-accelerated workloads
- Validate that least-privilege policies prevent untrusted users from issuing driver IOCTLs
Patch Information
Intel addressed the vulnerability in Intel QAT software drivers for Windows version 2.6 and later. Administrators should download and deploy the updated driver package referenced in the Intel Security Advisory INTEL-SA-01387. Verify driver versions after installation using Windows Device Manager or pnputil /enum-drivers.
Workarounds
- Limit interactive and remote local access to systems where the vulnerable QAT driver is installed
- Disable Intel QAT user-mode components on hosts that do not require hardware acceleration
- Enforce application allow-listing to prevent execution of untrusted binaries that could invoke QAT interfaces
# Verify installed Intel QAT driver version on Windows
pnputil /enum-drivers | findstr /I "qat"
# Query driver service status
sc query | findstr /I "qat"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
