HighPublic exploit

Local Privilege Escalation in Broadcom/LSI Agere Soft Modem Driver AGRSM64.sys

IdentifiersCVE-2023-31096CWE-121

CVE-2023-31096 is a local elevation-of-privilege vulnerability in the Broadcom/LSI PCI-SV92EX Soft Modem kernel driver, AGRSM64.sys, through version 2.2.100.1. The issue is a stack-based buffer overflow in the driver's handling of IOCTL 0x1b2150, specifically involving RTLCopyMemory. A local attacker can send crafted input to the vulnerable IOCTL and trigger memory corruption in kernel context, resulting in execution with elevated privileges. The vulnerability affects legacy Agere Soft Modem drivers shipped with Windows, including agrsm64.sys and agrsm.sys, and was publicly documented prior to Microsoft's January 2026 action to remove the affected drivers.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a local attacker to escalate from a medium-integrity user process to NT AUTHORITY\SYSTEM. Because the flaw is in a kernel driver, exploitation can also provide kernel-level code execution or equivalent control sufficient to bypass or disable security controls, including AV- and PPL-related protections. The vulnerability is suitable for post-compromise privilege escalation and could be leveraged in BYOVD-style intrusion or ransomware operations where a vulnerable signed driver is present on the target system.

Mitigation

If you can’t patch tonight, do this now.

If immediate remediation is not possible, prevent the vulnerable drivers agrsm64.sys and agrsm.sys from loading by using Windows Defender Application Control, vulnerable driver blocklists, or equivalent kernel-driver allow/deny policies. Reduce local attacker access by limiting interactive logon and code execution for untrusted users, and monitor for attempts to access the device interface associated with the modem driver or to load legacy third-party modem drivers. Because mere presence of the driver can create exposure, systems retaining the driver should be treated as at risk even if modem hardware is unused.

Remediation

Patch, then assume compromise.

Remove the vulnerable Agere Soft Modem drivers from affected systems. Microsoft’s January 2026 updates addressed the issue by removing agrsm64.sys and agrsm.sys from supported Windows systems. Organizations should identify systems that still depend on these legacy modem drivers, eliminate that dependency where possible, and ensure the Microsoft updates that decommission the drivers are applied. If the drivers are present outside normal Windows servicing, they should be manually removed or blocked from loading.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

BroadcomLsi Pci-Sv92ex Firmwareoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

17 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

17 SOURCESView more in app

flareio blogNews

Feb 12, 2026

From Patch to Exploit: Flare’s Intelligence on Cybercrime After January 2026 Patch Tuesday - Flare | Threat Exposure Management | Unmatched Visibility into Cybercrime

Elevation of privilege vulnerability in the Windows Agere Soft Modem Driver; publicly disclosed but with no indication of exploitation in the wild per the content.

security online infoNews

Jan 29, 2026

The Final Hang-Up: Microsoft Disables Legacy Modem Drivers for Security

An elevation of privilege vulnerability affecting legacy Windows modem/serial-related drivers that Microsoft later decommissioned/disabled in Windows 11 cumulative updates due to security risk.

upguard newsNews

Jan 21, 2026

Zero-Day Microsoft Vulnerabilities (CVE-2026-20805, CVE-2026-21265, CVE-2023-31096) | UpGuard

A Microsoft-reported zero-day vulnerability addressed in the January 2026 Patch Tuesday release; the content does not provide technical details beyond inclusion in the update.

scworldNews

Jan 14, 2026

Microsoft January 2026 Patch Tuesday: 114 flaws addressed, including actively exploited 0-day | SC Media

An elevation of privilege vulnerability in the Windows Agere Soft Modem driver (noted as removed).

+8 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity5

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2023-31096

NVD

nvd.nist.gov/vuln/detail/CVE-2023-31096

MITRE CWE · CWE-121

cwe.mitre.org

Third Party Advisory

cschwarz1.github.io/posts/0x04