PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-8501 Symantec CVE debrief

A local privilege escalation vulnerability exists in the PCTCore64.sys Windows kernel driver distributed with PC Tools Internet Security. The driver exposes a WDM device interface (PCTCoreDriver) that fails to enforce proper access controls, allowing unprivileged user-mode processes to open handles and invoke IOCTL handlers that perform sensitive, privileged operations. The vulnerability was published to the NVD on June 1, 2026, and remains in Awaiting Analysis status. The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) yields a base score of 7.8 (High), reflecting low attack complexity, no user interaction requirement, and high impacts to confidentiality, integrity, and availability. The weakness is classified as CWE-782 (Exposed IOCTL with Insufficient Access Control). Microsoft has documented this driver in its recommended driver block rules, indicating it is considered vulnerable or malicious and should be blocked by App Control for Business policies. The CERT/CC has also published a vulnerability note (VU#158530) covering this issue. No known exploitation in ransomware campaigns has been reported, and the vulnerability is not listed in CISA KEV.

Vendor
Symantec
Product
PC Tools Internet Security
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-01
Original CVE updated
2026-06-01
Advisory published
2026-06-01
Advisory updated
2026-06-01

Who should care

Windows system administrators, endpoint security teams, and organizations with legacy installations of PC Tools Internet Security should prioritize this vulnerability. The availability of a Microsoft recommended driver block rule provides a viable defensive control for enterprises using application whitelisting. Incident response teams should hunt for signs of the vulnerable driver on managed endpoints.

Technical summary

The PCTCore64.sys kernel driver registers a WDM device interface named PCTCoreDriver that is reachable from user mode. Due to improper access control—likely an overly permissive security descriptor or missing access checks on the device object or individual IOCTL handlers—any local process can obtain a handle and dispatch privileged IOCTLs. This allows an attacker running with low privileges to execute operations that should be restricted to the kernel or highly privileged components, resulting in elevation of privilege with high impact to confidentiality, integrity, and availability. The attack requires local access and ability to load or access the affected driver, but no user interaction.

Defensive priority

HIGH

Recommended defensive actions

  • Block the PCTCore64.sys driver using Windows App Control for Business or similar application control policies; Microsoft includes this driver in its recommended driver block rules.
  • Audit endpoints for the presence of PC Tools Internet Security and the PCTCore64.sys driver file; remove or disable the software if present and no longer required.
  • Apply vendor-supplied security updates for PC Tools Internet Security if available from the software distributor.
  • Restrict local user privileges where possible to reduce the attack surface for local privilege escalation vulnerabilities.
  • Monitor for suspicious handle opens to device objects matching PCTCoreDriver or unusual IOCTL patterns from unprivileged processes.

Evidence notes

CVE description confirms improper access control in PCTCore64.sys. CVSS vector and score sourced from NVD record. CWE-782 assigned per NVD weaknesses field. Microsoft recommended driver block rules reference confirms vendor guidance to block this driver. CERT/CC VU#158530 reference confirms coordinated disclosure presence. Vendor attribution is low-confidence ('Unknown Vendor' with 'Microsoft' as domain candidate); product identified as PC Tools Internet Security from CVE description.

Official resources

2026-06-01