CVE-2026-8501 Overview
CVE-2026-8501 is an improper access control vulnerability in the PCTCore64.sys Windows kernel driver shipped with PC Tools Internet Security. The driver exposes the PCTCoreDriver Windows Driver Model (WDM) device interface to user-mode processes without enforcing adequate access restrictions. Any local user-mode process can open a handle to the device and invoke privileged I/O control (IOCTL) handlers. A local attacker can abuse these handlers to perform sensitive kernel-level operations on the target system. The flaw is classified under [CWE-782: Exposed IOCTL with Insufficient Access Control].
Critical Impact
A local, low-privileged attacker can interact with privileged kernel IOCTLs through PCTCore64.sys, enabling unauthorized operations that affect confidentiality, integrity, and availability of the host.
Affected Products
- PC Tools Internet Security (versions bundling PCTCore64.sys)
- Windows systems where the PCTCoreDriver WDM device is loaded
- Any third-party software that bundles or sideloads the vulnerable PCTCore64.sys driver
Discovery Timeline
- 2026-06-01 - CVE-2026-8501 published to the National Vulnerability Database (NVD)
- 2026-06-01 - Last updated in NVD database
Technical Details for CVE-2026-8501
Vulnerability Analysis
The PCTCore64.sys driver registers a WDM device object named PCTCoreDriver and attaches IOCTL handlers used by the PC Tools Internet Security user-mode components. The driver fails to apply a restrictive security descriptor to this device object. As a result, unprivileged user-mode processes can call CreateFile against the device path and successfully obtain a handle. Once the handle is open, the caller can issue DeviceIoControl requests that reach handlers intended only for trusted callers. These handlers perform operations that require kernel privileges, including memory access and process manipulation primitives commonly found in security drivers.
Root Cause
The root cause is a missing or overly permissive Access Control List (ACL) on the driver's device object. Windows driver developers are expected to define a Security Descriptor Definition Language (SDDL) string that restricts access to SYSTEM or administrators. The PCTCoreDriver device interface omits this hardening, exposing privileged functionality to any local caller [CWE-782].
Attack Vector
Exploitation requires local access and the ability to execute code or load the driver on the target host. The attacker opens the exposed device with standard Win32 APIs and then issues crafted IOCTL codes to invoke privileged handlers. Because the vulnerable driver may be present on systems that no longer run PC Tools Internet Security through Bring Your Own Vulnerable Driver (BYOVD) techniques, an attacker who can write the signed driver to disk and load it can reach the same primitives. Refer to the CERT Vulnerability Advisory #158530 for additional technical context.
Detection Methods for CVE-2026-8501
Indicators of Compromise
- Presence of PCTCore64.sys on systems that do not require PC Tools Internet Security functionality.
- Creation of a handle to \\.\PCTCoreDriver by processes outside the legitimate PC Tools product set.
- Service control or sc.exe activity registering or starting a kernel service backed by PCTCore64.sys.
- Unexpected DeviceIoControl calls from non-administrative user contexts targeting the driver.
Detection Strategies
- Hunt for kernel driver loads matching the hash of vulnerable PCTCore64.sys versions using Sysmon Event ID 6 (Driver Loaded).
- Alert on process creation events that invoke CreateFile against \\.\PCTCoreDriver from non-vendor binaries.
- Correlate driver installation events (Event ID 7045) with subsequent privilege escalation or token manipulation activity.
- Apply the Microsoft recommended driver block rules and detect bypass attempts.
Monitoring Recommendations
- Continuously inventory loaded kernel drivers and flag deviations from an approved baseline.
- Monitor Windows Defender Application Control (WDAC) and Hypervisor-protected Code Integrity (HVCI) policy violations.
- Forward driver load and device object access telemetry to a centralized analytics platform for retrospective hunting.
How to Mitigate CVE-2026-8501
Immediate Actions Required
- Identify and remove PCTCore64.sys from endpoints where PC Tools Internet Security is no longer in active use.
- Deploy the Microsoft vulnerable driver blocklist to prevent loading of known-vulnerable drivers.
- Enforce WDAC and HVCI policies to restrict unsigned or unauthorized kernel drivers.
- Restrict local administrator rights to reduce the population of users able to load arbitrary drivers.
Patch Information
No vendor patch is referenced in the published advisory. PC Tools Internet Security is a legacy product line, and affected versions may not receive updates. Organizations should treat removal of PCTCore64.sys and application of Microsoft's driver block rules as the primary remediation path. Review the CERT Vulnerability Advisory #158530 for vendor status updates.
Workarounds
- Apply a hardened Security Descriptor to the device object using Security Descriptor Definition Language (SDDL) if removal is not feasible.
- Block driver loading through Group Policy by enabling the Microsoft vulnerable driver blocklist on Windows 11 and Windows Server 2022 and later.
- Use application control policies to deny execution of any binary that attempts to register PCTCoreDriver as a kernel service.
# Enable Microsoft vulnerable driver blocklist via registry on Windows
reg add "HKLM\SYSTEM\CurrentControlSet\Control\CI\Config" /v VulnerableDriverBlocklistEnable /t REG_DWORD /d 1 /f
# Remove the vulnerable driver service (run as Administrator)
sc.exe stop PCTCore
sc.exe delete PCTCore
del /f /q %SystemRoot%\System32\drivers\PCTCore64.sys
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
