CVE-2026-6737 - Vulnerability Details - OpenCVE

An Exposed IOCTL with Insufficient Access Control vulnerability in AsusPTPFilter allows a local user to bypass driver security mechanisms and obtain restricted touchpad information or render the touchpad unusable via crafted IOCTL requests.Refer to the ' Security Update for ASUS Precision Touchpad ' section on the ASUS Security Advisory for more information.

Attack Vector Local

Attack Complexity High

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Asus	Asusptpfilter

No data.

No data.

References

Link	Providers
https://www.spirityenterprise.com/virtual-ciso
https://www.asus.com/security-advisory

History

Fri, 08 May 2026 03:45:00 +0000

Type	Values Removed	Values Added
Title		Local Privilege Escalation via Unsane IOCTL in AsusPTPFilter Driver

Fri, 08 May 2026 02:45:00 +0000

Type	Values Removed	Values Added
Description		An Exposed IOCTL with Insufficient Access Control vulnerability in AsusPTPFilter allows a local user to bypass driver security mechanisms and obtain restricted touchpad information or render the touchpad unusable via crafted IOCTL requests.Refer to the ' Security Update for ASUS Precision Touchpad ' section on the ASUS Security Advisory for more information.
First Time appeared		Asus Asus asusptpfilter
Weaknesses		CWE-782
CPEs		cpe:2.3:a:asus:asusptpfilter::::::::
Vendors & Products		Asus Asus asusptpfilter
References		https://www.asus.com/security-advisory
Metrics		cvssV4_0 `{'score': 2, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: ASUS

Published: 2026-05-08T02:00:26.422Z

Updated: 2026-05-08T02:00:26.422Z

Reserved: 2026-04-21T06:25:50.061Z

Link: CVE-2026-6737

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-08T03:16:24.990

Modified: 2026-05-08T03:16:24.990

Link: CVE-2026-6737

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6737", "assignerOrgId": "54bf65a7-a193-42d2-b1ba-8e150d3c35e1", "state": "PUBLISHED", "assignerShortName": "ASUS", "dateReserved": "2026-04-21T06:25:50.061Z", "datePublished": "2026-05-08T02:00:26.422Z", "dateUpdated": "2026-05-08T02:00:26.422Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "54bf65a7-a193-42d2-b1ba-8e150d3c35e1", "shortName": "ASUS", "dateUpdated": "2026-05-08T02:00:26.422Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-782", "description": "CWE-782: Exposed IOCTL with Insufficient Access Control", "type": "CWE"}]}], "affected": [{"vendor": "ASUS", "product": "AsusPTPFilter", "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "16.0.0.45", "versionType": "custom"}], "defaultStatus": "unaffected"}], "cpeApplicability": [{"operator": "OR", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:asus:asusptpfilter:*:*:*:*:*:*:*:*", "versionStartIncluding": "0", "versionEndIncluding": "16.0.0.45"}]}]}], "descriptions": [{"lang": "en", "value": "An Exposed IOCTL with Insufficient Access Control vulnerability in AsusPTPFilter allows a local user to bypass driver security mechanisms and obtain restricted touchpad information or render the touchpad unusable\u00a0via crafted IOCTL requests.Refer to the '\nSecurity Update for ASUS Precision Touchpad\u00a0' section on the ASUS Security Advisory for more information.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "An Exposed IOCTL with Insufficient Access Control vulnerability in AsusPTPFilter allows a local user to bypass driver security mechanisms and obtain restricted touchpad information or render the touchpad unusable via crafted IOCTL requests.<div>Refer to the '\nSecurity Update for ASUS Precision Touchpad ' section on the ASUS Security Advisory for more information.</div>"}]}], "references": [{"url": "https://www.asus.com/security-advisory"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "LOW", "baseScore": 2, "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An Exposed IOCTL with Insufficient Access Control vulnerability in AsusPTPFilter allows a local user to bypass driver security mechanisms and obtain restricted touchpad information or render the touchpad unusable\u00a0via crafted IOCTL requests.Refer to the '\nSecurity Update for ASUS Precision Touchpad\u00a0' section on the ASUS Security Advisory for more information."}], "id": "CVE-2026-6737", "lastModified": "2026-05-08T03:16:24.990", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.0, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "54bf65a7-a193-42d2-b1ba-8e150d3c35e1", "type": "Secondary"}]}, "published": "2026-05-08T03:16:24.990", "references": [{"source": "54bf65a7-a193-42d2-b1ba-8e150d3c35e1", "url": "https://www.asus.com/security-advisory"}], "sourceIdentifier": "54bf65a7-a193-42d2-b1ba-8e150d3c35e1", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-782"}], "source": "54bf65a7-a193-42d2-b1ba-8e150d3c35e1", "type": "Secondary"}]}