Klaus Hahnenkamp

**Name of the Vulnerable Software and Affected Versions** VB-Audio Voicemeeter versions 1.1.1.9 and earlier VB-Audio Voicemeeter Banana versions 2.1.1.9 and earlier VB-Audio Voicemeeter Potato versions 3.1.1.9 and earlier VB-Audio Matrix versions 1.0.2.2 and earlier VB-Audio Matrix Coconut versions 2.0.2.2 and earlier **Description** The VB-Audio software contains a flaw in its virtual audio drivers (vbvoicemeetervaio64*.sys, vbmatrixvaio64*.sys, vbaudio vmauxvaio*.sys, vbaudio vmvaio*.sys, and vbaudio vmvaio3*.sys). When a handle is opened with a specific file attribute, the drivers incorrectly set the `FILE OBJECT->FsContext` to an invalid value. If operations are passed to the audio driver stack, this invalid `FsContext` can be accessed, leading to a system crash (Blue Screen of Death) with a `SYSTEM SERVICE EXCEPTION` and `STATUS ACCESS VIOLATION`. This issue allows a local user with limited privileges to cause a denial-of-service on Windows systems. **Recommendations** Update VB-Audio Voicemeeter to a version later than 1.1.1.9. Update VB-Audio Voicemeeter Banana to a version later than 2.1.1.9. Update VB-Audio Voicemeeter Potato to a version later than 3.1.1.9. Update VB-Audio Matrix to a version later than 1.0.2.2. Update VB-Audio Matrix Coconut to a version later than 2.0.2.2.

**Name of the Vulnerable Software and Affected Versions** VB-Audio Voicemeeter versions 1.1.1.9 and earlier VB-Audio Voicemeeter Banana versions 2.1.1.9 and earlier VB-Audio Voicemeeter Potato versions 3.1.1.9 and earlier VB-Audio Matrix versions 1.0.2.2 and earlier VB-Audio Matrix Coconut versions 2.0.2.2 and earlier **Description** The virtual audio drivers (vbvoicemeetervaio64*.sys, vbmatrixvaio64*.sys, vbaudio vmauxvaio*.sys, vbaudio vmvaio*.sys, and vbaudio vmvaio3*.sys) map non-paged pool memory into user space using `MmMapLockedPagesSpecifyCache` with UserMode access without proper exception handling. A failure in the mapping process, such as when a process exhausts available virtual address space, causes `MmMapLockedPagesSpecifyCache` to raise an exception that is not handled, resulting in a kernel crash, typically a SYSTEM SERVICE EXCEPTION with a STATUS NO MEMORY error. This can lead to a denial-of-service condition. A local unprivileged user can trigger this issue. **Recommendations** Update VB-Audio Voicemeeter to a version later than 1.1.1.9. Update VB-Audio Voicemeeter Banana to a version later than 2.1.1.9. Update VB-Audio Voicemeeter Potato to a version later than 3.1.1.9. Update VB-Audio Matrix to a version later than 1.0.2.2. Update VB-Audio Matrix Coconut to a version later than 2.0.2.2.

**Name of the Vulnerable Software and Affected Versions** VB-Audio Matrix and Matrix Coconut versions ending in 1.0.2.2 and earlier VB-Audio Matrix Coconut versions ending in 2.0.2.2 and earlier **Description** The VB-Audio Matrix and Matrix Coconut software contain a local privilege escalation issue within the VBMatrix VAIO virtual audio driver (`vbmatrixvaio64* win10.sys`). The driver allocates a 128-byte non-paged pool buffer and, when receiving IOCTL `0x222060`, maps it into user space using an MDL and `MmMapLockedPagesSpecifyCache`. Due to the allocation size not being page-aligned, the mapping exposes the entire 0x1000-byte kernel page, including adjacent non-paged pool allocations, with read/write permissions. A local attacker can open a device handle with the required `0x800` attribute flag, invoke the IOCTL to obtain the mapping, and then read or modify live kernel objects and pointers on that page. This can bypass Kernel Address Space Layout Randomization (KASLR), allow arbitrary kernel memory read/write within the exposed page, corrupt kernel objects, and lead to SYSTEM-level privileges. **Recommendations** Versions ending in 1.0.2.2 and earlier: Update to a newer version. Versions ending in 2.0.2.2 and earlier: Update to a newer version.

**Name of the Vulnerable Software and Affected Versions** VB-Audio Voicemeeter versions 1.1.1.9 and earlier VB-Audio Voicemeeter Banana versions 2.1.1.9 and earlier VB-Audio Voicemeeter Potato versions 3.1.1.9 and earlier VB-Audio Matrix versions 1.0.2.2 and earlier VB-Audio Matrix Coconut versions 2.0.2.2 and earlier **Description** The virtual audio drivers (vbvoicemeetervaio64*.sys, vbmatrixvaio64*.sys, vbaudio vmauxvaio*.sys, vbaudio vmvaio*.sys, and vbaudio vmvaio3*.sys) allocate non-paged pool and map it into user space. A length value associated with the allocation is exposed and can be modified by a local attacker. The corrupted length is then used as the IoAllocateMdl length argument without sufficient validation, potentially leading to a kernel crash (Blue Screen of Death), specifically a PAGE FAULT IN NONPAGED AREA error. This allows a local user to cause a denial-of-service on affected systems. **Recommendations** Update VB-Audio Voicemeeter to a version later than 1.1.1.9. Update VB-Audio Voicemeeter Banana to a version later than 2.1.1.9. Update VB-Audio Voicemeeter Potato to a version later than 3.1.1.9. Update VB-Audio Matrix to a version later than 1.0.2.2. Update VB-Audio Matrix Coconut to a version later than 2.0.2.2.