VB-Audio Voicemeeter and Matrix Drivers Denial-of-Service Vulnerability via Corrupted IoAllocateMdl Length

A denial-of-service vulnerability has been identified in VB-Audio Voicemeeter, Voicemeeter Banana, Voicemeeter Potato, VB-Audio Matrix, and Matrix Coconut. The issue resides in the virtual audio drivers, which improperly handle memory allocation lengths. This flaw allows an unprivileged local attacker to manipulate length values, leading to a kernel crash, typically causing a Blue Screen of Death (BSoD) error. The vulnerability is present in specific versions of the applications: Voicemeeter (Standard) through 1.1.1.9, Voicemeeter Banana through 2.1.1.9, Voicemeeter Potato through 3.1.1.9, VB-Audio Matrix through 1.0.2.2, and VB-Audio Matrix Coconut through 2.0.2.2.

Impact

Exploitation of this vulnerability causes a kernel crash, leading to a Blue Screen of Death (BSoD) error, typically a PAGE_FAULT_IN_NONPAGED_AREA.

Reproduction

The vulnerability can be reproduced by installing one of the affected Voicemeeter products or VB-Audio Matrix applications on a Windows system. After installation, a handle to the driver can be created using the CreateFileA function. The driver maps non-paged pool memory into user space, where the length of the allocation can be read and modified. By overwriting the length value with a large number and then using the IOCTL command to map the memory again, the corrupted length is used in a way that causes a crash.

Remediation

Users can update to the latest versions of VB-Audio Voicemeeter or VB-Audio Matrix applications. The latest versions include the patched drivers that fix this vulnerability.