CVE-2026-3508 - Vulnerability Details - OpenCVE

An Out-of-bounds Read vulnerability in the IOCTL handler in ASUS System Control Interface allows a local user to cause system crash (BSOD) via a read size that exceeds the buffer size.Refer to the ' Security Update for MyASUS ' section on the ASUS Security Advisory for more information.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Asus	Asus System Control Interface System Control Interface

No data.

No data.

References

Link	Providers
https://www.asus.com/security-advisory

History

Fri, 08 May 2026 04:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Asus system Control Interface
Vendors & Products		Asus system Control Interface

Fri, 08 May 2026 02:45:00 +0000

Type	Values Removed	Values Added
Description		An Out-of-bounds Read vulnerability in the IOCTL handler in ASUS System Control Interface allows a local user to cause system crash (BSOD) via a read size that exceeds the buffer size.Refer to the ' Security Update for MyASUS ' section on the ASUS Security Advisory for more information.
First Time appeared		Asus Asus asus System Control Interface
Weaknesses		CWE-125
CPEs		cpe:2.3:a:asus:asus_system_control_interface::::::::
Vendors & Products		Asus Asus asus System Control Interface
References		https://www.asus.com/security-advisory
Metrics		cvssV4_0 `{'score': 6.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: ASUS

Published: 2026-05-08T02:00:53.822Z

Updated: 2026-05-08T02:00:53.822Z

Reserved: 2026-03-04T05:51:48.969Z

Link: CVE-2026-3508

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-08T03:16:24.820

Modified: 2026-05-08T03:16:24.820

Link: CVE-2026-3508

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3508", "assignerOrgId": "54bf65a7-a193-42d2-b1ba-8e150d3c35e1", "state": "PUBLISHED", "assignerShortName": "ASUS", "dateReserved": "2026-03-04T05:51:48.969Z", "datePublished": "2026-05-08T02:00:53.822Z", "dateUpdated": "2026-05-08T02:00:53.822Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "54bf65a7-a193-42d2-b1ba-8e150d3c35e1", "shortName": "ASUS", "dateUpdated": "2026-05-08T02:00:53.822Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-125", "description": "CWE-125 Out-of-bounds Read", "type": "CWE"}]}], "affected": [{"vendor": "ASUS", "product": "ASUS System Control Interface", "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "V3.1.59.1", "versionType": "custom"}], "defaultStatus": "unaffected"}], "cpeApplicability": [{"operator": "OR", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:asus:asus_system_control_interface:*:*:*:*:*:*:*:*", "versionStartIncluding": "0", "versionEndIncluding": "v3.1.59.1"}]}]}], "descriptions": [{"lang": "en", "value": "An Out-of-bounds Read vulnerability in the IOCTL handler in ASUS System Control Interface allows a local user to cause system crash (BSOD) via a read size that exceeds the buffer size.Refer to the '\nSecurity Update for MyASUS\u00a0' section on the ASUS Security Advisory for more information.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "An Out-of-bounds Read vulnerability in the IOCTL handler in ASUS System Control Interface allows a local user to cause system crash (BSOD) via a read size that exceeds the buffer size.<div>Refer to the '\nSecurity Update for MyASUS ' section on the ASUS Security Advisory for more information.</div>"}]}], "references": [{"url": "https://www.asus.com/security-advisory"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 6.8, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An Out-of-bounds Read vulnerability in the IOCTL handler in ASUS System Control Interface allows a local user to cause system crash (BSOD) via a read size that exceeds the buffer size.Refer to the '\nSecurity Update for MyASUS\u00a0' section on the ASUS Security Advisory for more information."}], "id": "CVE-2026-3508", "lastModified": "2026-05-08T03:16:24.820", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "54bf65a7-a193-42d2-b1ba-8e150d3c35e1", "type": "Secondary"}]}, "published": "2026-05-08T03:16:24.820", "references": [{"source": "54bf65a7-a193-42d2-b1ba-8e150d3c35e1", "url": "https://www.asus.com/security-advisory"}], "sourceIdentifier": "54bf65a7-a193-42d2-b1ba-8e150d3c35e1", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "54bf65a7-a193-42d2-b1ba-8e150d3c35e1", "type": "Secondary"}]}