How is CVE-2026-12193 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network access to the target is required. Authentication (required): Any low-privilege local account is sufficient to send the crafted IOCTL request; no administrative credentials are needed. Victim interaction (not-required): No user interaction or social engineering is required; the attacker triggers the overflow directly. Attack complexity (info): The exploit is reliable and condition-free, with no race conditions or special memory layout required.

What is the impact of CVE-2026-12193?

Reads sensitive data from kernel and process memory, including credentials or session material accessible to the kernel driver. Writes to kernel memory, allowing an attacker to modify security-relevant data structures or escalate local privileges. Crashes the RevoDetector.sys driver, disrupting uninstaller functionality and potentially destabilizing the host. A public proof-of-concept exploit exists, lowering the bar for exploitation in any environment where the driver is loaded.

Back to search

HIGHCVE-2026-12193Published 2026-06-14Modified 2026-06-14CNA VulDB

CVE-2026-12193: VS Revo RevoUninstaller IOCTL RevoDetector.sys IOCtl_Handler heap-based overflow

A vulnerability was identified in VS Revo RevoUninstaller 2.5.x/2.6.x. The affected element is the function IOCtl_Handler in the library RevoDetector.sys of the component IOCTL Handler. Such manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit is publicly available and might be used. Upgrading to version 2.7.0 is sufficient to fix this issue. It is recommended to upgrade the affected component.

CVSS v4.0: 8.5
Severity: HIGH
Fixed in: 2.7.0
Affected Products: 1

HarborGuard Analysis

Synopsis

A heap-based buffer overflow exists in RevoDetector.sys, the kernel driver component of VS Revo RevoUninstaller versions 2.5.x and 2.6.x. The vulnerability is reached locally by a low-privileged user who sends a crafted IOCTL request to the IOCtl_Handler function, triggering the overflow in kernel memory. Successful exploitation gives the attacker full read and write access to the system and can crash the affected service; a patched-image rebuild at version 2.7.0 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle RevoUninstaller or its driver component. Any image containing an affected 2.5.x or 2.6.x build is flagged automatically.

Available

Triage

HarborGuard scores this CVE at CVSS 8.5 (HIGH) and weights it against each environment's compliance policy to determine urgency and routing. Findings are dispatched to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

A patched-image rebuild at version 2.7.0 is available on HarborGuard for any environment where an affected version is detected. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against the affected workload; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access to the target is required.
AuthenticationRequired
Any low-privilege local account is sufficient to send the crafted IOCTL request; no administrative credentials are needed.
Victim interactionNot required
No user interaction or social engineering is required; the attacker triggers the overflow directly.
Attack complexityDetail
The exploit is reliable and condition-free, with no race conditions or special memory layout required.

Blast Radius

Reads sensitive data from kernel and process memory, including credentials or session material accessible to the kernel driver.
Writes to kernel memory, allowing an attacker to modify security-relevant data structures or escalate local privileges.
Crashes the RevoDetector.sys driver, disrupting uninstaller functionality and potentially destabilizing the host.
A public proof-of-concept exploit exists, lowering the bar for exploitation in any environment where the driver is loaded.

How HarborGuard Handles This

Available on HarborGuard: images containing RevoUninstaller 2.5.x or 2.6.x are matched against this CVE the moment it enters the ingestion pipeline, with no manual configuration required. Where compliance policy permits, auto-remediation customers receive a rebuilt image at version 2.7.0, a regression test run, and a pull request opened against affected workloads; for high-severity issues the median time from publication to merged patch PR is around 90 minutes. For customers who have not enabled auto-remediation, the finding is routed to the designated team inbox with full CVSS context and a direct pointer to the 2.7.0 upgrade path. Because a public exploit is confirmed (CVSS E:P), teams that cannot immediately rebuild are advised to apply kernel driver load restrictions via Windows Driver Block rules or group policy to prevent RevoDetector.sys from loading until the patched image is in place.

See how HarborGuard automates this

Fix available

2.7.0

Patch commits

revouninstaller.com

Affected packages

VS Revo / RevoUninstaller
2.5.* · 2.6.*
Fixed in 2.7.0

CVSS Vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available