PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-36425 OPSWAT CVE debrief

A potential security issue was identified in OPSWAT AppRemover Driver (ardrv.sys) version 2017.10.02.1551 and earlier. The issue is related to the IOCTL handler 0x2420031, where any local user can open the device and send process termination requests without proper privilege validation. This could potentially allow unauthorized users to terminate processes, leading to security issues. System administrators and users of OPSWAT AppRemover Driver should be aware of this potential security issue and take necessary precautions to mitigate the risk.

Vendor
OPSWAT
Product
AppRemover Driver
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-16
Original CVE updated
2026-07-16
Advisory published
2026-07-16
Advisory updated
2026-07-16

Who should care

System administrators and users of OPSWAT AppRemover Driver should be aware of this potential security issue and take necessary precautions to mitigate the risk. This includes verifying and updating OPSWAT AppRemover Driver to the latest version, restricting access to the device to authorized users only, and monitoring system logs for suspicious activity related to process termination requests.

Technical summary

The issue is located in the IOCTL handler 0x2420031 of OPSWAT AppRemover Driver (ardrv.sys) version 2017.10.02.1551 and earlier. This handler allows any local user to open the device and send process termination requests without proper privilege validation, potentially leading to security issues. The vulnerability could be exploited by a local user to terminate processes without authorization, which may lead to system instability or security breaches.

Defensive priority

Medium

Recommended defensive actions

  • Verify and update OPSWAT AppRemover Driver to the latest version
  • Restrict access to the device to authorized users only
  • Monitor system logs for suspicious activity related to process termination requests
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record was published on 2026-07-16T21:17:20.450Z and has not been modified since then. The NVD entry is currently in the 'Received' status. This information is based on the provided source corpus and may be subject to change as new evidence emerges. Users should verify the status with official sources for the most current information.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T21:17:20.450Z and has not been modified since then. The NVD entry is currently in the 'Received' status.