CVE-2026-23763 is a local privilege escalation vulnerability found in the VBMatrix VAIO virtual audio driver (vbmatrixvaio64*_win10.sys) used by VB-Audio Software's Matrix and Matrix Coconut products. The driver allocates a 128-byte non-paged pool buffer but maps it into user space using an MDL (Memory Descriptor List) and MmMapLockedPagesSpecifyCache without ensuring page alignment. Because the buffer size is smaller than the 4KB page size, the entire 4KB kernel page containing the buffer and adjacent non-paged pool allocations is exposed with read/write permissions to user space. An attacker with local access can open a device handle requiring the 0x800 attribute flag and invoke the IOCTL 0x222060 to obtain this mapping. This grants the attacker the ability to read and modify live kernel objects and pointers within that page, effectively bypassing Kernel Address Space Layout Randomization (KASLR), performing arbitrary kernel memory read/write operations, corrupting kernel data structures, and ultimately escalating privileges to SYSTEM level. The vulnerability does not require user interaction but does require local privileges to open the device handle. The flaw stems from improper handling of memory alignment and access control in the driver’s IOCTL implementation. No patches or exploit code are currently publicly available, but the vulnerability’s characteristics make it a critical risk for local attackers aiming to gain full control over affected Windows 10 systems running these audio drivers.

This vulnerability allows an unprivileged local attacker to escalate privileges to SYSTEM by exploiting improper memory mapping in the VBMatrix VAIO driver. The ability to read and write arbitrary kernel memory within the exposed page can lead to bypassing critical security mechanisms such as KASLR, enabling further kernel-level attacks and persistence. This compromises the confidentiality, integrity, and availability of the affected system. Organizations using VB-Audio Matrix or Matrix Coconut on Windows 10 systems face risks of full system compromise, data theft, unauthorized system modifications, and potential deployment of persistent malware or ransomware. Since the attack requires local access, insider threats or attackers who have already gained limited access can leverage this flaw to gain complete control. The absence of known public exploits currently reduces immediate risk, but the high severity and ease of exploitation once local access is obtained make this a significant threat to endpoint security.

Organizations should immediately verify if they are running vulnerable versions of VB-Audio Matrix or Matrix Coconut products (versions ending in 1.0.2.2 and 2.0.2.2 or earlier) on Windows 10 systems. Since no official patches are currently available, temporary mitigations include restricting local user access to systems running these drivers and limiting permissions to open device handles with the 0x800 attribute flag. Employing endpoint detection and response (EDR) solutions to monitor for suspicious IOCTL calls or unusual kernel memory access patterns can help detect exploitation attempts. System administrators should enforce the principle of least privilege to minimize the number of users with local access. Additionally, consider disabling or uninstalling the vulnerable VB-Audio drivers if they are not essential. Monitor vendor communications for forthcoming patches and apply them promptly once released. Implementing kernel integrity protection mechanisms and keeping the operating system fully updated can also reduce exploitation likelihood.