CVE-2026-8108 Overview
CVE-2026-8108 affects the installation routine of Fuji Tellus, which deploys a kernel driver configured with read and write permissions granted to all users. The flaw is tracked under [CWE-749: Exposed Dangerous Method or Function]. A local authenticated attacker can interact with the driver interface to achieve privilege escalation, code execution in kernel context, or full compromise of system integrity and availability. The vulnerability is documented in CISA ICS Advisory ICSA-26-132-01.
Critical Impact
Any local user can open and issue I/O control requests to a kernel driver, enabling local privilege escalation and arbitrary kernel-mode operations on affected workstations.
Affected Products
- Fuji Tellus (installation deploys the affected kernel driver)
- Operational technology and industrial control system endpoints running Fuji Tellus
- Workstations where Fuji Tellus has been installed with default permissions
Discovery Timeline
- 2026-05-12 - CVE-2026-8108 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-8108
Vulnerability Analysis
The Fuji Tellus installer registers a kernel-mode driver and assigns an access control list (ACL) that grants read and write access to all users on the system. Kernel drivers expose device objects through \\.\DeviceName style paths, and the operating system enforces access through the driver's security descriptor. When the descriptor includes a permissive entry for Everyone or equivalent groups, any local account, including unprivileged users, can call CreateFile against the device and submit DeviceIoControl requests.
Kernel drivers typically expose IOCTL handlers that operate in ring 0. Without proper access checks, a low-privileged caller can reach functions that read or write kernel memory, manipulate physical memory, or invoke privileged routines. Successful interaction with the exposed driver interface allows a local attacker to escalate to SYSTEM, disable security controls, or corrupt the operating system.
Root Cause
The root cause is an insecure default security descriptor applied to the driver device object during installation. The driver registration code does not restrict access to administrators or to the SYSTEM account. Combined with the absence of caller validation inside IOCTL dispatch routines, the permission misconfiguration exposes privileged functionality to any logged-on user.
Attack Vector
The attack vector is local. An authenticated user opens a handle to the driver device and issues IOCTLs that the driver was intended to expose only to privileged processes. No user interaction is required, and the attack complexity is low. The attacker requires existing local access through interactive logon, RDP, or a compromised user-mode process.
No public proof-of-concept exploit code has been verified for CVE-2026-8108. See the CISA ICS Advisory and GitHub CSAF data for additional technical context.
Detection Methods for CVE-2026-8108
Indicators of Compromise
- Unexpected handle opens to the Fuji Tellus driver device object from non-administrative user contexts
- New SYSTEM-level processes spawned by user accounts shortly after interaction with the Fuji Tellus driver
- Modifications to kernel memory regions or sudden disabling of endpoint security agents on hosts with Fuji Tellus installed
Detection Strategies
- Audit the driver's device object access control list and alert when read or write permissions are granted to Everyone, Users, or Authenticated Users.
- Monitor for CreateFile calls from low-privilege processes targeting the Fuji Tellus driver path, followed by DeviceIoControl activity.
- Correlate driver access events with subsequent token manipulation, process injection, or privilege escalation behaviors using endpoint detection and response telemetry.
Monitoring Recommendations
- Enable Windows kernel object access auditing (Event ID 4663) on the Fuji Tellus device object and forward events to a centralized SIEM.
- Track loaded driver inventory across managed endpoints and flag hosts where the affected driver is present.
- Review process ancestry for unprivileged parents launching elevated child processes on systems running Fuji Tellus.
How to Mitigate CVE-2026-8108
Immediate Actions Required
- Inventory all endpoints with Fuji Tellus installed and restrict interactive access to trusted administrators only.
- Modify the driver device object ACL to remove access for non-administrative principals using sc sdset or equivalent tooling, where supported by the vendor.
- Contact the vendor to obtain a fixed installer or guidance before reinstalling or upgrading Fuji Tellus.
Patch Information
No vendor patch URL is listed in the available data at the time of publication. Refer to the CISA ICS Advisory ICSA-26-132-01 for updated remediation guidance and any vendor-supplied fixes.
Workarounds
- Remove or disable the Fuji Tellus driver on systems that do not require its functionality until a fixed version is available.
- Apply application allowlisting to prevent unauthorized binaries from invoking DeviceIoControl against the affected driver.
- Enforce least-privilege user policies and limit local logon rights on systems where Fuji Tellus is deployed.
# Configuration example: query and harden the driver device security descriptor on Windows
sc.exe sdshow FujiTellusDriver
# Replace the descriptor to grant access only to SYSTEM and Administrators
sc.exe sdset FujiTellusDriver "D:(A;;GA;;;SY)(A;;GA;;;BA)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
