CVE-2026-23761 Overview
CVE-2026-23761 is a denial-of-service vulnerability affecting VB-Audio's virtual audio driver products, including Voicemeeter, Voicemeeter Banana, Voicemeeter Potato, and VB-Audio Matrix. The vulnerability stems from improper initialization of the FILE_OBJECT->FsContext field in the virtual audio drivers, which can lead to a kernel crash (Blue Screen of Death) when exploited by a local unprivileged user.
Critical Impact
Local unprivileged users can trigger a system crash (BSoD) on affected Windows systems, causing complete denial-of-service without requiring elevated privileges.
Affected Products
- VB-Audio Voicemeeter (versions ending in 1.1.1.9 and earlier)
- VB-Audio Voicemeeter Banana (versions ending in 2.1.1.9 and earlier)
- VB-Audio Voicemeeter Potato (versions ending in 3.1.1.9 and earlier)
- VB-Audio Matrix (versions ending in 1.0.2.2 and earlier)
- VB-Audio Matrix Coconut (versions ending in 2.0.2.2 and earlier)
Discovery Timeline
- 2026-01-22 - CVE-2026-23761 published to NVD
- 2026-01-22 - Last updated in NVD database
Technical Details for CVE-2026-23761
Vulnerability Analysis
This vulnerability is classified under CWE-824 (Access of Uninitialized Pointer). The flaw exists in the VB-Audio virtual audio drivers, specifically in how they handle file object initialization when a handle is opened with a special file attribute value.
The affected drivers include:
- vbvoicemeetervaio64*.sys
- vbmatrixvaio64*.sys
- vbaudio_vmauxvaio*.sys
- vbaudio_vmvaio*.sys
- vbaudio_vmvaio3*.sys
When a handle is opened with certain special file attribute values, the drivers improperly initialize the FILE_OBJECT->FsContext to a non-pointer magic value instead of a valid pointer. This incorrect initialization creates a dangerous condition where subsequent I/O operations that are not directly handled by the VB-Audio driver get forwarded down the audio driver stack through PortCls to ks.sys.
Root Cause
The root cause is improper initialization of the FILE_OBJECT->FsContext field within the VB-Audio kernel drivers. Rather than setting FsContext to a valid memory pointer or NULL, the drivers assign a non-pointer magic value. This violates the expected Windows kernel driver conventions for file object handling.
When the Windows kernel audio subsystem (specifically ks.sys through the PortCls interface) attempts to process operations on these file objects, it dereferences the FsContext field expecting a valid pointer structure. The magic value causes an invalid memory access, triggering a STATUS_ACCESS_VIOLATION and resulting in a SYSTEM_SERVICE_EXCEPTION blue screen.
Attack Vector
The vulnerability requires local access to exploit. An attacker with an unprivileged user account on an affected Windows system can trigger the vulnerability by opening a handle to one of the vulnerable VB-Audio virtual audio device drivers with specific file attributes.
The attack does not require any special permissions beyond standard user access. Once the malformed file handle is created, normal audio subsystem operations cause the invalid FsContext value to be dereferenced, crashing the kernel. This makes it a straightforward denial-of-service attack that can be executed reliably without complex exploitation techniques.
For technical details on the exploitation mechanism, refer to the GitHub CVE-2026-23761 Research repository.
Detection Methods for CVE-2026-23761
Indicators of Compromise
- Unexpected system crashes (BSoD) with SYSTEM_SERVICE_EXCEPTION error code and STATUS_ACCESS_VIOLATION status
- Crash dump analysis showing faulting module as ks.sys or one of the VB-Audio drivers (vbvoicemeetervaio64*.sys, vbmatrixvaio64*.sys)
- Windows Event Log entries indicating kernel driver failures related to audio subsystem components
- Repeated system instability specifically when VB-Audio products are installed
Detection Strategies
- Monitor for crash dumps containing references to VB-Audio driver modules in the call stack
- Implement endpoint detection rules to flag processes opening handles to VB-Audio virtual audio devices with unusual file attributes
- Audit systems for vulnerable versions of Voicemeeter, Matrix, and related VB-Audio software
- Configure crash analysis automation to alert on SYSTEM_SERVICE_EXCEPTION events involving audio driver components
Monitoring Recommendations
- Enable Windows Error Reporting and centralized crash dump collection to identify potential exploitation attempts
- Deploy endpoint telemetry to track handle creation operations on VB-Audio virtual device drivers
- Establish baseline crash rates for systems with VB-Audio software to identify anomalous crash patterns
- Review application inventory to identify all systems with affected VB-Audio products installed
How to Mitigate CVE-2026-23761
Immediate Actions Required
- Identify all systems with VB-Audio Voicemeeter, Voicemeeter Banana, Voicemeeter Potato, VB-Audio Matrix, or Matrix Coconut installed
- Update to the latest versions of affected VB-Audio products from the VB-Audio Official Website
- Consider temporarily uninstalling affected VB-Audio drivers on critical systems until patches are applied
- Restrict local access to systems where removal or update is not immediately possible
Patch Information
VB-Audio has acknowledged this vulnerability through their community forums. Users should update to versions newer than 1.1.1.9 (Voicemeeter), 2.1.1.9 (Voicemeeter Banana), 3.1.1.9 (Voicemeeter Potato), 1.0.2.2 (Matrix), and 2.0.2.2 (Matrix Coconut). Check the VB-Audio Forum Post #7527 and VB-Audio Forum Post #7574 for official update guidance and patch availability.
For additional advisory details, see the VulnCheck Advisory on VB-Audio DDoS.
Workarounds
- Temporarily remove or disable VB-Audio virtual audio drivers on systems where immediate patching is not feasible
- Restrict local user access on critical systems running affected VB-Audio software
- Implement application control policies to prevent unauthorized users from executing code that could trigger the vulnerability
- Consider using alternative virtual audio solutions until patched versions are deployed
# List installed VB-Audio drivers on Windows (PowerShell)
Get-WmiObject Win32_PnPSignedDriver | Where-Object { $_.DeviceName -like "*VB-Audio*" -or $_.DeviceName -like "*Voicemeeter*" } | Select-Object DeviceName, DriverVersion
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
