CVE-2026-29923 Overview
CVE-2026-29923 is a local privilege escalation vulnerability in the pstrip64.sys kernel driver shipped with EnTech Taiwan PowerStrip versions 3.90.736 and earlier. The driver exposes an IOCTL handler that lets unprivileged local users map arbitrary physical memory into their own address space. Attackers can use this primitive to modify critical kernel structures and elevate their process token to SYSTEM. The flaw is categorized under CWE-269: Improper Privilege Management.
Critical Impact
Any local user can gain SYSTEM-level code execution on a Windows host where PowerStrip is installed, providing full control over the operating system.
Affected Products
- EnTech Taiwan PowerStrip versions <=3.90.736
- pstrip64.sys kernel-mode driver bundled with PowerStrip
- Windows hosts where the vulnerable driver is loaded
Discovery Timeline
- 2026-04-09 - CVE-2026-29923 published to NVD
- 2026-04-14 - Last updated in NVD database
Technical Details for CVE-2026-29923
Vulnerability Analysis
The pstrip64.sys driver registers a device object accessible from user mode without enforcing adequate access controls on its IOCTL interface. One of its IOCTL handlers accepts user-supplied physical addresses and length values, then maps the requested physical memory range into the calling process's virtual address space. Because the driver runs in kernel mode, the mapping bypasses normal Windows memory protection boundaries. Attackers gain read and write access to physical memory regions that back kernel structures.
Once the attacker has a writable view of kernel memory, they locate the EPROCESS structure for their own process and overwrite the token pointer with that of a SYSTEM process. This is a well-known token-stealing primitive used against vulnerable third-party drivers. The vulnerability falls under driver vulnerability and privilege escalation classes and is consistent with CWE-269.
Root Cause
The root cause is the absence of validation on IOCTL input and missing privilege checks on the device object. The driver trusts that callers will supply legitimate physical addresses and offers no boundary, allow-list, or caller-context enforcement. Combined with overly permissive ACLs on the device, this turns a debug-style primitive into a full kernel read/write capability for any local user.
Attack Vector
Exploitation requires only local, low-privileged access. An attacker opens a handle to the driver's device object, issues the crafted DeviceIoControl request with attacker-chosen physical address ranges, and receives a user-space mapping of kernel-resident memory. The attacker then scans for and overwrites token or callback structures to achieve SYSTEM execution. No user interaction is required. Refer to the Packet Storm File #218394 for the public technical write-up.
No verified proof-of-concept code is reproduced here. The vulnerability mechanism — IOCTL-driven arbitrary physical memory mapping followed by EPROCESS token replacement — is described in prose only.
Detection Methods for CVE-2026-29923
Indicators of Compromise
- Presence of pstrip64.sys (version <=3.90.736) loaded on systems where PowerStrip is not an approved application.
- Creation of handles to the PowerStrip device object by processes that are not pstrip.exe or the vendor's installer.
- Unexpected token swaps where a non-administrative process suddenly executes child processes as NT AUTHORITY\SYSTEM.
Detection Strategies
- Hunt for DeviceIoControl calls targeting the PowerStrip device from non-vendor processes using endpoint telemetry.
- Alert on driver load events for pstrip64.sys on hosts outside of approved engineering or display-tuning use cases.
- Correlate process token changes with prior handle opens to known vulnerable drivers as part of a Bring Your Own Vulnerable Driver (BYOVD) detection pattern.
Monitoring Recommendations
- Enable Windows kernel-mode driver load auditing (Event ID 6) and forward events to a SIEM for review.
- Monitor for new services or scheduled tasks running as SYSTEM that were created by interactive user sessions.
- Track unsigned or low-reputation driver installations across the fleet and review baseline drift weekly.
How to Mitigate CVE-2026-29923
Immediate Actions Required
- Inventory endpoints for the presence of PowerStrip and pstrip64.sys at version <=3.90.736.
- Uninstall PowerStrip on systems where it is not required for business operations.
- Add pstrip64.sys to the Microsoft Vulnerable Driver Blocklist or an equivalent Windows Defender Application Control (WDAC) policy.
Patch Information
No fixed version is referenced in the NVD entry at the time of publication. Check the EnTech Taiwan PowerStrip product page for vendor updates and apply any release that supersedes 3.90.736.
Workarounds
- Restrict local logon rights so that only trusted administrators can interact with hosts running the vulnerable driver.
- Enable Microsoft's Vulnerable Driver Blocklist via Windows Security or WDAC policy to prevent pstrip64.sys from loading.
- Remove the driver service entry and delete pstrip64.sys from %SystemRoot%\System32\drivers\ on systems where PowerStrip is uninstalled but residual files remain.
# Configuration example: enable Microsoft Vulnerable Driver Blocklist on Windows
# Run from an elevated PowerShell prompt
reg add "HKLM\SYSTEM\CurrentControlSet\Control\CI\Config" /v VulnerableDriverBlocklistEnable /t REG_DWORD /d 1 /f
# Verify the PowerStrip driver service state and remove it if present
sc.exe query pstrip64
sc.exe delete pstrip64
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
