Drivers run with the highest privileges in Windows — Kernel Mode. A driver with a known security vulnerability is therefore one of the most dangerous things on a PC: it can be misused by attackers to bypass antivirus protection, escalate privileges, or hide malware deeply in the system. The class of attacks called BYOVD (Bring Your Own Vulnerable Driver) has become one of the most popular methods for advanced attackers since 2021.
What is a CVE?
CVE stands for Common Vulnerabilities and Exposures — a public catalogue of known security vulnerabilities, maintained by the MITRE Corporation. Every CVE has a unique ID like CVE-2024-21925 (year + number).
For drivers, CVEs are particularly relevant because:
- Drivers are signed and trusted — the operating system trusts them by default
- Once a vulnerability is known, attackers can use it for years
- Many users never update drivers as long as the device works — old, vulnerable versions stay alive
BYOVD attacks: the underestimated threat
BYOVD means: an attacker doesn't have to find a fresh vulnerability — they bring an old, vulnerable but legitimately signed driver and load it themselves. Microsoft initially trusts it because the signature is valid. The attacker then exploits the driver's vulnerability to get into the kernel.
Famous BYOVD victims (incomplete):
| CVE | Driver | Year | Known abuse |
|---|---|---|---|
| CVE-2021-21551 | Dell DBUtil_2_3.sys | 2021 | Used by various ransomware groups |
| CVE-2019-16098 | MSI RTCore64.sys (Afterburner) | 2019 | BlackByte ransomware |
| CVE-2020-15368 | ASRock RGB Polychrome RGB | 2020 | Various rootkits |
| CVE-2022-26340 | Razer Synapse rzpnk.sys | 2022 | LPE for local attackers |
| CVE-2024-1853 | Various antivirus drivers | 2024 | EDR bypass |
AVG Driver Updater compares your drivers against the CVE database and warns about known security issues.
Microsoft Vulnerable Driver Blocklist
Since Windows 11, Microsoft maintains an integrated blocklist of known vulnerable drivers — the Microsoft Vulnerable Driver Blocklist. It blocks loading these drivers — but only when:
- HVCI (Hypervisor-Protected Code Integrity) is enabled, OR
- Smart App Control is active
Many users have neither — and are thus exposed to BYOVD attacks despite the list. Important: the blocklist is updated only at irregular intervals (last comprehensive update: April 2024). Truly fresh vulnerabilities don't get caught immediately.
Enabling HVCI
- Windows Security → Device Security → Core Isolation
- Memory Integrity → On
- Reboot
Note: HVCI is incompatible with some older drivers. The system may refuse to enable it as long as such drivers are installed. Then update the affected drivers first.
Finding vulnerable drivers on your own system
Method 1: LOLDrivers Database
The community project loldrivers.io (Living Off The Land Drivers) catalogues all drivers known to be misusable. The database is significantly more comprehensive than Microsoft's blocklist.
Method 2: pnputil + manual check
- Open cmd as administrator
- Run
pnputil /enum-drivers - Compare the listed drivers against the LOLDrivers database
Method 3: Specialised driver updaters
Modern driver-updater software (like AVG Driver Updater) automatically compares installed drivers against CVE databases and reports vulnerable versions.
What can you actually do to protect yourself?
- Enable HVCI — protects against BYOVD attacks at the kernel level
- Keep drivers up to date — eliminates the breeding ground for BYOVD
- Uninstall unused drivers — every driver less is one attack surface less
- Install only trusted drivers — only from manufacturers' websites or via a verified driver updater
- Smart App Control on new Windows 11 installations — the most thorough protection mechanism, but only with very fresh installations
Further sources
Authoritative sources for deeper information:
- Common Vulnerabilities and Exposures (CVE) — Wikipedia
- NIST National Vulnerability Database (official)
- Microsoft Vulnerable Driver Blocklist (official)
- LOLDrivers — Living Off The Land Drivers Database
Frequently asked questions
Limited. Many antivirus solutions detect unusual driver loads, but a clean BYOVD attack with a fully signed driver often bypasses detection. HVCI offers significantly better protection.
That would also affect users still legitimately using older versions. Microsoft tries to balance — known abuse → blocklist; certificate revocation only in extreme cases.
Press Win + R → "msinfo32" → Enter. Find "Virtualization-based Security" + "Hypervisor-protected Code Integrity". If both show "Running": active.
Definitely. Several CVEs have been documented for old Nvidia and AMD drivers. Graphics drivers are particularly attractive because they are widespread.
Yes: pnputil /delete-driver oem*.inf /force in cmd as administrator. Caution: don't remove the driver of a device you're still using without a replacement.
HVCI: blocks unsigned/unsafe drivers. Smart App Control: blocks unsigned/uncommon applications (.exe, .dll). Both work together but address different attack vectors.