CVE-2018-19320

HIGH KEV RANSOMWARE

GIGABYTE APP Center <1.05.21 - Memory Corruption

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2018-19320 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added October 24, 2022, with confirmed use in ransomware campaigns. EIP tracks 3 public exploits from researchers including zer0condition, ASkyeye, hmnthabit.

AI-analyzed exploit summary This repository contains a proof-of-concept exploit for CVE-2018-19320, which allows loading unsigned drivers on Windows 10-11 by leveraging a vulnerable driver (gdrv.sys). The tool provides a command-line interface to load or unload drivers, bypassing PatchGuard.

Description

The GDrv low-level driver in GIGABYTE APP Center v1.05.21 and earlier, AORUS GRAPHICS ENGINE before 1.57, XTREME GAMING ENGINE before 1.26, and OC GURU II v2.08 exposes ring0 memcpy-like functionality that could allow a local attacker to take complete control of the affected system.

Exploits (3)

nomisec WORKING POC 331 stars
by zer0condition · local
https://github.com/zer0condition/GDRVLoader

This repository contains a proof-of-concept exploit for CVE-2018-19320, which allows loading unsigned drivers on Windows 10-11 by leveraging a vulnerable driver (gdrv.sys). The tool provides a command-line interface to load or unload drivers, bypassing PatchGuard.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Windows 10-11 with vulnerable gdrv.sys driver
Auth required
Prerequisites: Administrator privileges · Presence of vulnerable gdrv.sys driver
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 20 stars
by ASkyeye · local
https://github.com/ASkyeye/CVE-2018-19320

This PoC exploits CVE-2018-19320, a vulnerability in Gigabyte CI driver, to enable or disable driver signing by manipulating kernel memory via IOCTL calls. It interacts with the driver to leak addresses and modify the `g_CiOptions` variable.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Gigabyte CI driver (CI.dll)
No auth needed
Prerequisites: Access to the vulnerable Gigabyte CI driver · Administrative privileges to interact with the driver
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 10 stars
by hmnthabit · local
https://github.com/hmnthabit/CVE-2018-19320-LPE

This is a functional local privilege escalation (LPE) exploit for CVE-2018-19320, targeting vulnerable GIGABYTE drivers. It leverages arbitrary memory write capabilities in gdrv.sys to overwrite HalDispatchTable+0x8 with shellcode, executing a token-stealing payload to elevate privileges to SYSTEM.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: GIGABYTE APP Center v1.05.21 and previous, AORUS GRAPHICS ENGINE v1.33 and previous, XTREME GAMING ENGINE v1.25 and previous, OC GURU II v2.08
No auth needed
Prerequisites: Vulnerable GIGABYTE driver installed · Local access to the target system
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6
Core References
Exploit, Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2018/Dec/39
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/106252
Vendor Advisory x_refsource_confirm
https://www.gigabyte.com/Support/Security/1801

Scores

CVSS v3 7.8
EPSS 0.0360
EPSS Percentile 87.9%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2022-10-24
VulnCheck KEV 2020-02-10
InTheWild.io 2020-02-24
ENISA EUVD EUVD-2018-11018
Ransomware Use Confirmed
Status published
Products (4)
gigabyte/aorus_graphics_engine < 1.57
gigabyte/app_center < 19.0422.1
gigabyte/oc_guru_ii 2.08
gigabyte/xtreme_gaming_engine < 1.26
Published Dec 21, 2018
KEV Added Oct 24, 2022
Tracked Since Feb 18, 2026