CVE-2026-14960
CVE-2026-14960
Vexday Risk Score
20Low
SSVC decision (CISA)
Attend
PoC available → attend closely
Exploit maturity
Proof of concept
Public proof of concept exists, but not yet automated.
CVSS —EPSS —KEV nãoPoC públicaNuclei —Metasploit —Patch —
Lifecycle
15 Jul 2026Published on NVD
15 Jul 2026Public PoC
Weaponization speed
same dayto first PoC
Weaponized quickly — attackers prioritized this vulnerability. Patch urgently.
Recommendation: Plan a near-term fix — a public PoC already exists.
Pegatron `Tdelo64.sys` improperly exposes privileged hardware access functionality through the `\\.\TdeIo` device interface. IOCTL handlers including `TDE_IOCTL_INDEXIO_READ` and `TDE_IOCTL_INDEXIO_WRITE` permit unprivileged user-mode callers to perform arbitrary hardware I/O port reads and writes without authorization checks. A local attacker can abuse this functionality to manipulate hardware registers, tamper with firmware-related interfaces, cause system instability, or establish persistent low-level compromise.
Affected products
Pegatron Corp. · Tdelo64.syspublic PoCs found — 1
githubgithub.com/FzRsLLaSheR/CVE-2026-14960-CVE-2026-14961★ 0⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
References
https://kb.cert.org/vuls/id/529388