CVE-2006-4927

Exploitation Summary

EIP tracks 2 public exploits for CVE-2006-4927. PoCs published by Ruben Santamarta.

AI-analyzed exploit summary This exploit targets a privilege escalation vulnerability in Symantec AntiVirus products by corrupting memory to execute arbitrary code with kernel-level privileges. It manipulates the mmUserProbeAddress and ExRaiseAccessViolation to achieve code execution in Ring0.

Description

The (a) NAVENG (NAVENG.SYS) and (b) NAVEX15 (NAVEX15.SYS) device drivers 20061.3.0.12 and later, as used in Symantec AntiVirus and security products, allow local users to gain privileges by overwriting critical system addresses using a crafted Irp to the IOCTL functions (1) 0x222AD3, (2) 0x222AD7, and (3) 0x222ADB.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Ruben Santamarta · clocalwindows

https://www.exploit-db.com/exploits/28764

View Code ZIP pw:eip

This exploit targets a privilege escalation vulnerability in Symantec AntiVirus products by corrupting memory to execute arbitrary code with kernel-level privileges. It manipulates the mmUserProbeAddress and ExRaiseAccessViolation to achieve code execution in Ring0.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Symantec AntiVirus and Norton antivirus products on Windows NT, 2000, and XP

No auth needed

Prerequisites: Local access to the target system · Symantec AntiVirus or Norton antivirus installed

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1055 - Process Injection

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Ruben Santamarta · clocalwindows

https://www.exploit-db.com/exploits/28763

View Code ZIP pw:eip

This exploit targets a privilege escalation vulnerability in Symantec AntiVirus (CVE-2006-4927) by corrupting memory via the NAVENG device driver, allowing arbitrary code execution with kernel-level privileges. It overwrites the NtQuerySystemInformation switch to execute a shellcode payload.