BYOVD (Vulnerable Driver) × Riot Games Vanguard

A publicly-reported instance of BYOVD (Vulnerable Driver) bypassing Riot Games Vanguard, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Riot Games Vanguard

Technique

BYOVD (Vulnerable Driver)

MITRE ATT&CK

T1562.001

Confidence

High

Severity

Critical

Status

patched

Disclosed

2025-03-02

Config / version noted

Not stated

Provenance

github.com
disclosed 2025-03-02 · original source · via exa

Reported as

bypassed Vanguard's protections

Mechanism

The exploit directly manipulates physical memory to load an unsigned driver into kernel space, bypassing Windows DSE and Vanguard's kernel-level protections. It uses a driver mapping engine, kernel context handler, and driver image processor to map physical pages, resolve imports, and establish communication channels for privileged memory operations on the game process.

Detection & mitigation

Monitor for drivers loaded with invalid or untrusted signatures using Windows Event ID 3023 (Microsoft-Windows-CodeIntegrity/Operational) or EDR telemetry. Mitigate by enforcing HVCI/VBS and maintaining updated anti-cheat/EDR signatures to block known vulnerable driver hashes.

BYOVD (Vulnerable Driver) has also been recorded against

Avast Baidu BattlEye Bitdefender Carbon Black Cortex CrowdStrike Cylance Easy Anti-Cheat EasyAntiCheat Elastic Fortinet

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.