PatchSiren cyber security CVE debrief
CVE-2026-36425 OPSWAT CVE debrief
A potential security issue was identified in OPSWAT AppRemover Driver (ardrv.sys) version 2017.10.02.1551 and earlier. The issue is related to the IOCTL handler 0x2420031, where any local user can open the device and send process termination requests without proper privilege validation. This could potentially allow unauthorized users to terminate processes, leading to security issues. System administrators and users of OPSWAT AppRemover Driver should be aware of this potential security issue and take necessary precautions to mitigate the risk.
- Vendor
- OPSWAT
- Product
- AppRemover Driver
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-16
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-16
- Advisory updated
- 2026-07-16
Who should care
System administrators and users of OPSWAT AppRemover Driver should be aware of this potential security issue and take necessary precautions to mitigate the risk. This includes verifying and updating OPSWAT AppRemover Driver to the latest version, restricting access to the device to authorized users only, and monitoring system logs for suspicious activity related to process termination requests.
Technical summary
The issue is located in the IOCTL handler 0x2420031 of OPSWAT AppRemover Driver (ardrv.sys) version 2017.10.02.1551 and earlier. This handler allows any local user to open the device and send process termination requests without proper privilege validation, potentially leading to security issues. The vulnerability could be exploited by a local user to terminate processes without authorization, which may lead to system instability or security breaches.
Defensive priority
Medium
Recommended defensive actions
- Verify and update OPSWAT AppRemover Driver to the latest version
- Restrict access to the device to authorized users only
- Monitor system logs for suspicious activity related to process termination requests
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The CVE record was published on 2026-07-16T21:17:20.450Z and has not been modified since then. The NVD entry is currently in the 'Received' status. This information is based on the provided source corpus and may be subject to change as new evidence emerges. Users should verify the status with official sources for the most current information.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T21:17:20.450Z and has not been modified since then. The NVD entry is currently in the 'Received' status.