CVE-2026-23761: CWE-824 Access of Uninitialized Pointer in VB-Audio Software Voicemeeter (Standard)
VB-Audio Voicemeeter, Voicemeeter Banana, and Voicemeeter Potato (versions ending in 1.1.1.9, 2.1.1.9, and 3.1.1.9 and earlier, respectively), as well as VB-Audio Matrix and Matrix Coconut (versions ending in 1.0.2.2 and 2.0.2.2 and earlier, respectively), contain a vulnerability in their virtual audio drivers (vbvoicemeetervaio64*.sys, vbmatrixvaio64*.sys, vbaudio_vmauxvaio*.sys, vbaudio_vmvaio*.sys, and vbaudio_vmvaio3*.sys). When a handle is opened with a special file attribute value, the drivers improperly initialize FILE_OBJECT->FsContext to a non-pointer magic value. If subsequent operations are not handled by the VB-Audio driver and are forwarded down the audio driver stack (e.g., via PortCls to ks.sys), the invalid FsContext value can be dereferenced, causing a kernel crash (BSoD), typically SYSTEM_SERVICE_EXCEPTION with STATUS_ACCESS_VIOLATION. This flaw allows a local unprivileged user to trigger a denial-of-service on affected Windows systems.
AI Analysis
Technical Summary
CVE-2026-23761 is a vulnerability classified under CWE-824 (Access of Uninitialized Pointer) found in multiple VB-Audio Software products including Voicemeeter (Standard, Banana, Potato) and VB-Audio Matrix variants. The issue resides in their virtual audio drivers (e.g., vbvoicemeetervaio64*.sys and related drivers) where, upon opening a handle with a specially crafted file attribute, the driver improperly initializes the FILE_OBJECT->FsContext field to a non-pointer magic value rather than a valid pointer. This improper initialization leads to a scenario where if subsequent I/O operations are not handled by the VB-Audio driver itself but instead forwarded down the Windows audio driver stack (such as through PortCls to ks.sys), the invalid FsContext pointer is dereferenced. This dereference triggers a kernel-mode access violation, causing a SYSTEM_SERVICE_EXCEPTION Blue Screen of Death (BSoD) with STATUS_ACCESS_VIOLATION. The vulnerability can be exploited locally by an unprivileged user without requiring authentication or user interaction, making it a straightforward denial-of-service vector against affected Windows systems. The flaw affects versions ending in 1.1.1.9, 2.1.1.9, and 3.1.1.9 or earlier for Voicemeeter variants, and 1.0.2.2 and 2.0.2.2 or earlier for Matrix products. No patches or exploits are currently publicly available, but the vulnerability poses a risk to system stability and availability in environments where these audio drivers are deployed.
Potential Impact
The primary impact of CVE-2026-23761 is denial-of-service through kernel crashes (BSoD) on Windows systems running vulnerable VB-Audio drivers. For European organizations, this can disrupt critical audio processing workflows, especially in sectors like broadcasting, media production, live event management, and telecommunication services where Voicemeeter and VB-Audio Matrix products are commonly used. The kernel crash affects system availability and can lead to data loss if unsaved work is interrupted. While the vulnerability does not allow privilege escalation or remote code execution, the ease of local exploitation by unprivileged users means insider threats or compromised endpoints could trigger system outages. Organizations relying on these audio drivers in professional or enterprise environments may face operational disruptions, reputational damage, and potential financial losses due to downtime. The lack of known exploits reduces immediate risk, but the medium CVSS score indicates a notable threat to system stability that should be addressed proactively.
Mitigation Recommendations
1. Immediately identify and inventory all systems running affected VB-Audio products and versions. 2. Monitor vendor communications for official patches or updates addressing this vulnerability and apply them promptly once available. 3. Until patches are released, restrict local user access on critical systems to trusted personnel only to reduce the risk of exploitation. 4. Employ application whitelisting and endpoint protection solutions to detect and prevent unauthorized execution of potentially malicious local code that could trigger the vulnerability. 5. Consider isolating or segmenting systems using these audio drivers to limit the blast radius of potential denial-of-service events. 6. Implement robust system monitoring to detect frequent or unusual system crashes indicative of exploitation attempts. 7. Educate users about the risk of running untrusted local code and enforce least privilege principles to minimize local attack surface. 8. If feasible, evaluate alternative audio driver solutions or configurations that do not expose this vulnerability until patched.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Belgium, Poland, Austria
CVE-2026-23761: CWE-824 Access of Uninitialized Pointer in VB-Audio Software Voicemeeter (Standard)
Description
VB-Audio Voicemeeter, Voicemeeter Banana, and Voicemeeter Potato (versions ending in 1.1.1.9, 2.1.1.9, and 3.1.1.9 and earlier, respectively), as well as VB-Audio Matrix and Matrix Coconut (versions ending in 1.0.2.2 and 2.0.2.2 and earlier, respectively), contain a vulnerability in their virtual audio drivers (vbvoicemeetervaio64*.sys, vbmatrixvaio64*.sys, vbaudio_vmauxvaio*.sys, vbaudio_vmvaio*.sys, and vbaudio_vmvaio3*.sys). When a handle is opened with a special file attribute value, the drivers improperly initialize FILE_OBJECT->FsContext to a non-pointer magic value. If subsequent operations are not handled by the VB-Audio driver and are forwarded down the audio driver stack (e.g., via PortCls to ks.sys), the invalid FsContext value can be dereferenced, causing a kernel crash (BSoD), typically SYSTEM_SERVICE_EXCEPTION with STATUS_ACCESS_VIOLATION. This flaw allows a local unprivileged user to trigger a denial-of-service on affected Windows systems.
AI-Powered Analysis
Technical Analysis
CVE-2026-23761 is a vulnerability classified under CWE-824 (Access of Uninitialized Pointer) found in multiple VB-Audio Software products including Voicemeeter (Standard, Banana, Potato) and VB-Audio Matrix variants. The issue resides in their virtual audio drivers (e.g., vbvoicemeetervaio64*.sys and related drivers) where, upon opening a handle with a specially crafted file attribute, the driver improperly initializes the FILE_OBJECT->FsContext field to a non-pointer magic value rather than a valid pointer. This improper initialization leads to a scenario where if subsequent I/O operations are not handled by the VB-Audio driver itself but instead forwarded down the Windows audio driver stack (such as through PortCls to ks.sys), the invalid FsContext pointer is dereferenced. This dereference triggers a kernel-mode access violation, causing a SYSTEM_SERVICE_EXCEPTION Blue Screen of Death (BSoD) with STATUS_ACCESS_VIOLATION. The vulnerability can be exploited locally by an unprivileged user without requiring authentication or user interaction, making it a straightforward denial-of-service vector against affected Windows systems. The flaw affects versions ending in 1.1.1.9, 2.1.1.9, and 3.1.1.9 or earlier for Voicemeeter variants, and 1.0.2.2 and 2.0.2.2 or earlier for Matrix products. No patches or exploits are currently publicly available, but the vulnerability poses a risk to system stability and availability in environments where these audio drivers are deployed.
Potential Impact
The primary impact of CVE-2026-23761 is denial-of-service through kernel crashes (BSoD) on Windows systems running vulnerable VB-Audio drivers. For European organizations, this can disrupt critical audio processing workflows, especially in sectors like broadcasting, media production, live event management, and telecommunication services where Voicemeeter and VB-Audio Matrix products are commonly used. The kernel crash affects system availability and can lead to data loss if unsaved work is interrupted. While the vulnerability does not allow privilege escalation or remote code execution, the ease of local exploitation by unprivileged users means insider threats or compromised endpoints could trigger system outages. Organizations relying on these audio drivers in professional or enterprise environments may face operational disruptions, reputational damage, and potential financial losses due to downtime. The lack of known exploits reduces immediate risk, but the medium CVSS score indicates a notable threat to system stability that should be addressed proactively.
Mitigation Recommendations
1. Immediately identify and inventory all systems running affected VB-Audio products and versions. 2. Monitor vendor communications for official patches or updates addressing this vulnerability and apply them promptly once available. 3. Until patches are released, restrict local user access on critical systems to trusted personnel only to reduce the risk of exploitation. 4. Employ application whitelisting and endpoint protection solutions to detect and prevent unauthorized execution of potentially malicious local code that could trigger the vulnerability. 5. Consider isolating or segmenting systems using these audio drivers to limit the blast radius of potential denial-of-service events. 6. Implement robust system monitoring to detect frequent or unusual system crashes indicative of exploitation attempts. 7. Educate users about the risk of running untrusted local code and enforce least privilege principles to minimize local attack surface. 8. If feasible, evaluate alternative audio driver solutions or configurations that do not expose this vulnerability until patched.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-01-15T18:42:20.938Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 697251f54623b1157c7bcf88
Added to database: 1/22/2026, 4:36:05 PM
Last enriched: 1/22/2026, 4:52:00 PM
Last updated: 2/7/2026, 8:22:55 PM
Views: 46
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-2110: Improper Restriction of Excessive Authentication Attempts in Tasin1025 SwiftBuy
MediumCVE-2026-2109: Improper Authorization in jsbroks COCO Annotator
MediumCVE-2026-2108: Denial of Service in jsbroks COCO Annotator
MediumCVE-2026-2107: Improper Authorization in yeqifu warehouse
MediumCVE-2026-2106: Improper Authorization in yeqifu warehouse
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.