Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-23764

CVE-2026-23764: VB-Audio Virtual Drivers DoS Vulnerability

CVE-2026-23764 is a denial-of-service vulnerability in VB-Audio Voicemeeter and Matrix virtual drivers that allows local attackers to crash Windows systems. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2026-23764 Overview

CVE-2026-23764 is a local denial-of-service vulnerability in VB-Audio Voicemeeter, Voicemeeter Banana, Voicemeeter Potato, Matrix, and Matrix Coconut virtual audio drivers on Windows. The drivers allocate non-paged pool memory and map an associated length value into user space, where it can be modified by an unprivileged local attacker. When the driver subsequently processes an I/O control (IOCTL) request, it passes the attacker-controlled length to IoAllocateMdl without integrity validation. The resulting Memory Descriptor List (MDL) construction triggers a kernel crash, typically PAGE_FAULT_IN_NONPAGED_AREA. This issue is tracked under [CWE-823] (Use of Out-of-range Pointer Offset).

Critical Impact

An unprivileged local user can crash affected Windows hosts by sending a crafted IOCTL after corrupting a user-mapped length field shared by the vulnerable virtual audio driver.

Affected Products

  • VB-Audio Voicemeeter, Voicemeeter Banana, and Voicemeeter Potato (versions ending in 1.1.1.9, 2.1.1.9, and 3.1.1.9 and earlier)
  • VB-Audio Matrix and Matrix Coconut (versions ending in 1.0.2.2 and 2.0.2.2 and earlier)
  • Affected drivers: vbvoicemeetervaio64*.sys, vbmatrixvaio64*.sys, vbaudio_vmauxvaio*.sys, vbaudio_vmvaio*.sys, and vbaudio_vmvaio3*.sys

Discovery Timeline

  • 2026-01-22 - CVE-2026-23764 published to the National Vulnerability Database (NVD)
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2026-23764

Vulnerability Analysis

The vulnerability resides in the kernel-mode virtual audio drivers shipped with VB-Audio Voicemeeter and Matrix product lines. These drivers allocate a buffer from the non-paged pool and create a shared mapping into user space to facilitate audio data exchange. Within that shared region, the driver also exposes a length value describing the size of the allocation.

Because the length field lives in user-writable memory, an unprivileged local process can overwrite it with an arbitrary value. The driver later trusts this user-controlled length when servicing an IOCTL, passing it directly to IoAllocateMdl to build a Memory Descriptor List for the buffer. No bounds, sanity, or integrity check validates that the length still matches the original allocation size.

When the resulting MDL is probed and mapped, the kernel walks past the actual allocation boundary, dereferences memory that is not backed by valid non-paged pages, and bugchecks with PAGE_FAULT_IN_NONPAGED_AREA. The system becomes unavailable until reboot.

Root Cause

The root cause is improper trust of attacker-controllable input from a shared user/kernel mapping. The driver treats a value located in writable user space as authoritative metadata for kernel memory operations, violating the principle that all user-supplied input crossing a trust boundary must be re-validated against trusted state.

Attack Vector

Exploitation requires local code execution with only standard user privileges. An attacker opens a handle to the vulnerable driver, locates the mapped length field within the shared region, writes a value that exceeds the actual non-paged pool allocation, then issues the IOCTL that triggers MDL construction. No user interaction is required, and the impact is limited to availability — confidentiality and integrity remain unaffected.

No verified public exploit code has been catalogued in ExploitDB, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Technical details are documented in the GitHub CVE-2026-23764 Research repository and the VulnCheck Advisory on VB-Audio.

Detection Methods for CVE-2026-23764

Indicators of Compromise

  • Unexpected PAGE_FAULT_IN_NONPAGED_AREA bugchecks in Windows minidumps where the faulting module resolves to vbvoicemeetervaio64*.sys, vbmatrixvaio64*.sys, vbaudio_vmauxvaio*.sys, vbaudio_vmvaio*.sys, or vbaudio_vmvaio3*.sys
  • Presence of vulnerable driver versions on endpoints, identified via file version metadata matching or preceding 1.1.1.9, 2.1.1.9, 3.1.1.9, 1.0.2.2, or 2.0.2.2
  • Unprivileged user processes opening handles to VB-Audio driver device objects shortly before a system crash

Detection Strategies

  • Inventory installed kernel drivers and flag VB-Audio Voicemeeter or Matrix builds at or below the affected versions
  • Correlate Windows Error Reporting (WER) crash telemetry with VB-Audio driver loads to surface clusters of denial-of-service events
  • Monitor for non-administrative processes issuing DeviceIoControl calls to VB-Audio virtual audio device objects, which can indicate exploitation attempts

Monitoring Recommendations

  • Forward kernel bugcheck events (Event ID 1001, BugCheckCode 0x50) into a centralized log platform for trend analysis
  • Track driver installation and version changes across managed endpoints to confirm patch deployment status
  • Alert on repeated system crashes from the same host or user context when VB-Audio drivers are present

How to Mitigate CVE-2026-23764

Immediate Actions Required

  • Upgrade Voicemeeter, Voicemeeter Banana, and Voicemeeter Potato to versions above 1.1.1.9, 2.1.1.9, and 3.1.1.9 respectively, and Matrix and Matrix Coconut above 1.0.2.2 and 2.0.2.2
  • Restrict installation of VB-Audio products to systems where the virtual audio functionality is required
  • Limit local interactive logon rights on sensitive Windows hosts to reduce the population of users who can trigger the flaw

Patch Information

Refer to vendor communications on the VB-Audio Official Website and the VB-Audio Forum Discussion for fixed driver builds. Confirm the installed driver file versions for vbvoicemeetervaio64*.sys, vbmatrixvaio64*.sys, vbaudio_vmauxvaio*.sys, vbaudio_vmvaio*.sys, and vbaudio_vmvaio3*.sys after applying updates.

Workarounds

  • Uninstall affected VB-Audio Voicemeeter or Matrix software on hosts where it is not operationally required
  • Use Windows AppLocker or Windows Defender Application Control to block execution of untrusted local binaries that could interact with the vulnerable drivers
  • Apply Microsoft's vulnerable driver blocklist policies on hosts that do not need VB-Audio functionality

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne