Arbitrary kernel memory read/write in Portwell Engineering Toolkits 4.8.2 driver (CVE-2026-3437)
CVE-2026-3437 is an Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) in the Portwell Engineering Toolkits driver affecting Portwell Engineering Toolkits version 4.8.2. The flaw allows a local authenticated attacker to perform arbitrary memory read and write operations via the driver, indicating insufficient bounds checking/validation in driver-mediated memory operations.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.
This repository is a small standalone Windows C++ proof-of-concept exploit for CVE-2026-3437 affecting Portwell Engineering Toolkits v4.8.2. It is not part of a larger exploit framework. The project is built with CMake and contains one main executable source file, src/entry.cpp, plus a helper header, src/portwell.hpp, that implements the exploit logic. Repository structure is minimal: build configuration files (.vscode, CMakeLists.txt, CMakePresets.json), a README describing the vulnerability and usage, and two source files. The actual exploit logic resides in src/portwell.hpp. That header defines the device path \\.\PORTWELL_0_1, two IOCTL codes for read and write, request structures for the driver protocol, and helper functions to initialize the device handle and perform read_phys/write_phys operations using DeviceIoControl. The exploit capability is arbitrary physical memory access from user mode through the vulnerable signed driver. The code constructs a 16-byte physical-memory request header containing a target physical address, access width, and byte count. For reads, it sends the header with IOCTL 0xEA606450 and receives raw bytes into a caller-supplied buffer. For writes, it appends attacker-controlled data after the header and sends it with IOCTL 0xEA60A454. The README explicitly states this stems from unsafe use of MmMapIoSpace without proper validation, enabling local privilege escalation and BYOVD scenarios. The main program in src/entry.cpp is a demonstration payload rather than a full privilege-escalation chain. It opens the device, reads 4 bytes from physical address 0x1000, writes the value 0x1337 to that same physical address, and reads it back to confirm success. There is no automated token stealing, shell spawning, or SYSTEM process creation; instead, it exposes and demonstrates the core primitive needed for further exploitation. Because it includes working exploit code with a hardcoded demonstration target and no generalized post-exploitation automation, the maturity is best classified as OPERATIONAL.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.