CVE-2026-29923 Overview
CVE-2026-29923 is a local privilege escalation vulnerability in the pstrip64.sys driver included with EnTech Taiwan PowerStrip version 3.90.736 and earlier. The vulnerability allows local users to escalate privileges to SYSTEM by sending crafted IOCTL requests to the vulnerable driver, enabling unprivileged users to map arbitrary physical memory into their address space and modify critical kernel structures.
Critical Impact
Local attackers can leverage this driver vulnerability to achieve SYSTEM-level privileges, enabling complete compromise of the affected Windows system through arbitrary kernel memory manipulation.
Affected Products
- EnTech Taiwan PowerStrip versions ≤3.90.736
- Windows systems with pstrip64.sys driver installed
Discovery Timeline
- 2026-04-09 - CVE-2026-29923 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2026-29923
Vulnerability Analysis
This vulnerability resides in the pstrip64.sys kernel-mode driver, which is a component of the PowerStrip display utility software developed by EnTech Taiwan. The driver exposes IOCTL handlers that fail to properly validate user-supplied parameters, allowing unprivileged local users to manipulate physical memory mappings.
The core issue stems from the driver's functionality to interface with display hardware at a low level. The driver implements IOCTL handlers that can map arbitrary physical memory addresses into user-mode virtual address space without adequate privilege verification or boundary checks. This design flaw enables attackers to read and write to arbitrary physical memory locations, including kernel memory regions that contain sensitive security structures.
By exploiting this capability, an attacker can locate and modify critical kernel objects such as process tokens, enabling token theft or privilege attribute manipulation. This results in complete elevation from a low-privileged user account to NT AUTHORITY\SYSTEM, the highest privilege level on Windows systems.
Root Cause
The root cause of CVE-2026-29923 is improper input validation within the IOCTL dispatch routine of the pstrip64.sys driver. The driver accepts physical memory addresses and size parameters from user-mode applications without verifying that the calling process has appropriate privileges or that the requested memory regions are safe to expose. This allows any local user to leverage the driver as a primitive for arbitrary physical memory access, bypassing Windows kernel security mechanisms.
Attack Vector
The attack requires local access to a Windows system with the vulnerable PowerStrip driver installed. An attacker executes a malicious application that:
- Opens a handle to the pstrip64.sys device object
- Sends specially crafted IOCTL requests specifying target physical memory addresses
- Receives a user-mode virtual address mapping to the requested physical memory
- Locates kernel structures (such as EPROCESS tokens) in the mapped memory
- Modifies token privileges or performs token swapping to escalate to SYSTEM
The attack does not require any user interaction beyond execution of the malicious payload, and no authentication credentials beyond those of the initial low-privileged user are needed.
Detection Methods for CVE-2026-29923
Indicators of Compromise
- Presence of pstrip64.sys driver loaded in kernel memory on systems where PowerStrip should not be installed
- Unusual process token modifications detected through security auditing
- Processes spawning with SYSTEM privileges from non-administrator user sessions
- Suspicious IOCTL communications to the PowerStrip driver device from unexpected applications
Detection Strategies
- Monitor for the loading of pstrip64.sys driver through Windows Driver Load events (Sysmon Event ID 6)
- Implement behavioral detection for privilege escalation patterns, such as token manipulation sequences
- Deploy endpoint detection rules that alert on unexpected IOCTL requests to hardware driver devices
- Use Windows Security Event Log monitoring for Event ID 4688 (Process Creation) with elevated token privileges from low-integrity processes
Monitoring Recommendations
- Enable driver load auditing through Group Policy and forward events to a centralized SIEM
- Configure SentinelOne policies to monitor and alert on suspicious kernel driver activity
- Implement application whitelisting to prevent unauthorized applications from communicating with vulnerable drivers
- Regularly audit installed drivers and remove unnecessary third-party kernel components
How to Mitigate CVE-2026-29923
Immediate Actions Required
- Identify all systems with EnTech Taiwan PowerStrip or pstrip64.sys driver installed
- Uninstall PowerStrip software if not required for business operations
- Manually remove the pstrip64.sys driver if the software cannot be fully uninstalled
- Restrict local user accounts using principle of least privilege to limit potential attack surface
Patch Information
No vendor patch information is currently available for this vulnerability. Organizations should monitor the EnTech Taiwan Utility Overview page for security updates. Additional technical details are available from the Packet Storm Security advisory.
Workarounds
- Remove or disable the pstrip64.sys driver until a patched version is available
- Use Windows Device Guard or HVCI (Hypervisor-protected Code Integrity) to restrict unsigned or vulnerable driver loading
- Apply application control policies to prevent the PowerStrip utility from running on managed endpoints
- Implement network segmentation to limit lateral movement if a system is compromised via this vulnerability
# Disable the vulnerable driver on Windows systems
sc stop pstrip64
sc config pstrip64 start= disabled
# Remove the driver file (run as Administrator)
del /F /Q "C:\Windows\System32\drivers\pstrip64.sys"
# Verify driver is no longer loaded
driverquery /v | findstr /i pstrip
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
