BYOVD (Vulnerable Driver) × Microsoft Windows 10, Windows 11

A publicly-reported instance of BYOVD (Vulnerable Driver) bypassing Microsoft Windows 10, Windows 11, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows 10, Windows 11

Technique

BYOVD (Vulnerable Driver)

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2026-03-26

Config / version noted

Yes

Provenance

github.com
disclosed 2026-04-07 · original source · via exa
medium.com
disclosed 2026-03-26 · original source · via exa

Reported as

disabling Driver Signature Enforcement (DSE) on Windows

Mechanism

The tool leverages a Bring Your Own Vulnerable Driver (BYOVD) attack: it loads the known-vulnerable gdrv.sys driver, uses its IOCTL interface to achieve arbitrary kernel memory read/write, locates the ci.dll module, and overwrites the g_CiOptions global variable with 0xF to disable all code integrity checks, thereby allowing unsigned drivers to load.

Detection & mitigation

Monitor for the loading of known-vulnerable drivers (e.g., gdrv.sys) via Sysmon Event ID 6 (driver load) or EDR telemetry, and alert on subsequent kernel memory write operations to ci.dll. Mitigation includes enabling HVCI/VBS, enforcing driver block rules via WDAC or Microsoft's vulnerable driver blocklist, and restricting administrator privileges.

BYOVD (Vulnerable Driver) has also been recorded against

Avast Baidu BattlEye Bitdefender Carbon Black Cortex CrowdStrike Cylance Easy Anti-Cheat EasyAntiCheat Elastic Fortinet

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.