CVE-2026-9490 Overview
CVE-2026-9490 affects Acer Care Center, where the ACCSvc service creates a Named Pipe with a weak Security Descriptor. An authenticated local user can connect to the pipe and send a crafted message of type 0x03, crashing the service with exit code 1067 (ERROR_PROCESS_ABORTED). The flaw is categorized under CWE-269: Improper Privilege Management and results in a local denial of service against the Acer Care Center support utility. Acer has published guidance directing users to update to the latest version.
Critical Impact
A local authenticated attacker can crash the Acer Care Center ACCSvc service through a malformed named pipe message, disrupting endpoint support functionality.
Affected Products
- Acer Care Center (ACCSvc service component)
- Versions prior to the fix referenced in the Acer advisory
- Windows endpoints with Acer Care Center installed
Discovery Timeline
- 2026-05-25 - CVE-2026-9490 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2026-9490
Vulnerability Analysis
The vulnerability resides in the ACCSvc Windows service that ships with Acer Care Center. The service exposes a Named Pipe for inter-process communication. The pipe is created with a Security Descriptor that grants overly permissive access rights to local authenticated users. Any logged-in user on the system can open a handle to the pipe and write messages directly to the service.
When the service receives a message of type 0x03, it fails to handle the input safely. The process terminates with Windows service exit code 1067 (ERROR_PROCESS_ABORTED). The vulnerability is locally exploitable, requires low privileges, and impacts availability without affecting confidentiality or integrity. EPSS data shows a 0.013% probability score with a percentile of 2.248, reflecting low observed exploitation activity.
Root Cause
The root cause is improper privilege management [CWE-269] applied to the Named Pipe object. The Security Descriptor placed on the pipe does not restrict access to administrative or SYSTEM-level callers. Combined with insufficient input validation on message type 0x03, this allows any local user to trigger an unhandled condition and abort the service process.
Attack Vector
The attack requires local access and valid user credentials on a system running Acer Care Center. An attacker opens a handle to the ACCSvc named pipe using standard Windows API calls such as CreateFile against the pipe path. The attacker then writes a message containing the type identifier 0x03 using WriteFile. The service processes the malformed message and exits, terminating Acer Care Center functionality until the service is restarted. No verified public exploit code is available. Technical details are documented in the Acer Community Article.
Detection Methods for CVE-2026-9490
Indicators of Compromise
- Windows Service Control Manager events recording termination of the ACCSvc service with exit code 1067 (ERROR_PROCESS_ABORTED).
- Unexpected restarts or stopped status for the Acer Care Center service across managed endpoints.
- Local processes opening handles to the Acer Care Center named pipe from non-Acer binaries.
Detection Strategies
- Monitor Windows Event Log Service Control Manager events (Event IDs 7031, 7034) referencing ACCSvc for repeated crash patterns.
- Correlate process creation telemetry with named pipe access targeting Acer Care Center pipes from unsigned or user-launched executables.
- Flag local privilege boundary anomalies where standard user processes interact with vendor service IPC endpoints.
Monitoring Recommendations
- Baseline the expected frequency of ACCSvc start/stop events and alert on deviations.
- Track named pipe enumeration tools (for example pipelist, NtObjectManager usage) executed by non-administrative users.
- Ensure endpoint telemetry captures service crash exit codes for post-incident triage.
How to Mitigate CVE-2026-9490
Immediate Actions Required
- Update Acer Care Center to the latest version as directed in the Acer Community Article.
- Inventory Windows endpoints to identify systems with Acer Care Center installed and confirm patch status.
- Restrict interactive logon on shared or kiosk systems where local users could trigger the crash.
Patch Information
Acer requires users to update Acer Care Center to the latest version to remediate this vulnerability. Refer to the Acer Community Article for the vendor-supplied fix and version guidance.
Workarounds
- Disable or stop the ACCSvc service on systems where Acer Care Center is not required.
- Uninstall Acer Care Center on endpoints where the support utility is not in active use.
- Limit local user account provisioning on systems running the vulnerable service until patches are applied.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
