VB-Audio Voicemeeter and Matrix Drivers Denial-of-Service Vulnerability via Improper FsContext Initialization

A denial-of-service vulnerability has been identified in VB-Audio Voicemeeter, Voicemeeter Banana, Voicemeeter Potato, VB-Audio Matrix, and Matrix Coconut. The issue arises in the virtual audio drivers when a handle is opened with a specific file attribute value, leading to an improper initialization of the FsContext. This misconfiguration allows for the dereferencing of an invalid pointer, causing a kernel crash. The vulnerability affects several different versions and/or ranges of the products.

Impact

Exploitation of this vulnerability causes a kernel crash, typically resulting in a Blue Screen of Death (BSoD) error, with the system service exception indicating an access violation. This flaw allows a local unprivileged user to disrupt system operations on affected Windows machines.

Reproduction

The vulnerability can be reproduced by opening a handle to the affected driver with a special file attribute value that triggers the improper initialization of the FsContext. Once the handle is opened, an unsupported IOCTL can be issued, which is forwarded to the ks.sys driver. This process dereferences the invalid FsContext value, leading to a system crash. Alternatively, the vulnerability can be reproduced by performing a relative open on an already opened handle, which also causes the invalid FsContext value to be dereferenced and the system to crash.

Remediation

Users can update to the latest versions of VB-Audio Voicemeeter, Voicemeeter Banana, Voicemeeter Potato, VB-Audio Matrix, or Matrix Coconut. The updated drivers have been released and are available on the VB-Audio website.