How is CVE-2026-8501 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network access to the target is required. Authentication (required): Any low-privilege local account is sufficient; no administrative or elevated credentials are needed to reach the vulnerable IOCTL interface. Victim interaction (not-required): No user interaction is required; the attacker can invoke the vulnerable IOCTL handlers entirely through their own process. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and imposes no race-condition, memory-layout, or other environmental prerequisites.

What is the impact of CVE-2026-8501?

A successful attacker reads sensitive kernel-level and process memory, including credentials, tokens, and security policy data held by the driver. The attacker writes to privileged kernel structures or invokes IOCTL handlers to modify security configurations, disable protections, or alter system state. The attacker can crash or destabilize the host by misusing privileged driver operations, causing a denial of service to all workloads on the machine. Because exploitation reaches kernel privilege, the attacker can undermine any user-mode or kernel-mode security control running on the same host.

Back to search

HIGHCVE-2026-8501Published 2026-06-01Modified 2026-06-01CNA certcc

CVE-2026-8501: CVE-2026-8501

Improper access control in the PCTCore64.sys Windows kernel driver from PC Tools Internet Security allows user-mode processes to access the PCTCoreDriver WDM device interface and invoke privileged IOCTL handlers. A local attacker with the ability to access or load the affected driver can exploit this vulnerability to perform sensitive and privileged operations on the target system.

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Improper access control in the PCTCore64.sys kernel driver shipped with PC Tools Internet Security (a Symantec product) lets any local user-mode process open the PCTCoreDriver WDM device interface and call privileged IOCTL handlers that should be restricted to trusted callers. The vulnerability is reached locally and requires only a low-privilege account, with no user interaction needed. Successful exploitation gives an attacker full read, write, and availability control over the host, effectively enabling privilege escalation to kernel-level operations. No fix version has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available the moment upstream ships a fix.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-8501 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle the affected PCTCore64.sys driver.

Available

Triage

HarborGuard is capable of scoring this CVE at 7.8 HIGH using the published CVSS v3.1 vector, weighting the result against each environment's compliance policy, and routing findings to the appropriate team inbox within the customer org.

Available

Patch

Because no fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream vendor ships a remediated driver version. Customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access to the target is required.
AuthenticationRequired
Any low-privilege local account is sufficient; no administrative or elevated credentials are needed to reach the vulnerable IOCTL interface.
Victim interactionNot required
No user interaction is required; the attacker can invoke the vulnerable IOCTL handlers entirely through their own process.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and imposes no race-condition, memory-layout, or other environmental prerequisites.

Blast Radius

A successful attacker reads sensitive kernel-level and process memory, including credentials, tokens, and security policy data held by the driver.
The attacker writes to privileged kernel structures or invokes IOCTL handlers to modify security configurations, disable protections, or alter system state.
The attacker can crash or destabilize the host by misusing privileged driver operations, causing a denial of service to all workloads on the machine.
Because exploitation reaches kernel privilege, the attacker can undermine any user-mode or kernel-mode security control running on the same host.

How HarborGuard Handles This

Available on HarborGuard: images containing the affected PCTCore64.sys driver are flagged as soon as the CVE enters the ingestion pipeline, typically within minutes of advisory publication. Because no upstream fix exists yet, HarborGuard will re-evaluate the advisory on every ingest cycle and make a patched-image rebuild available automatically once PC Tools or Symantec publishes a remediated driver version. In the interim, customers can apply compensating controls through HarborGuard policy: network-policy isolation to restrict lateral movement from a compromised host, egress filtering to limit post-exploitation reach, and runtime policy rules that block unexpected driver loads in container workloads. For customers who opt into auto-remediation, the patched rebuild, regression-test run, and PR against affected workloads will be triggered without manual steps the moment a fix version is confirmed upstream.

See how HarborGuard automates this

Affected packages

Symantec / PC Tools Internet Security
*

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Metrics

Get notified