Portwell confirms that CVE-2026-3437 affects Portwell Engineering Toolkits version 4.8.2 and earlier. This vulnerability has been remediated in Portwell Engineering Toolkits version 5.0.0.
A local authenticated attacker could exploit insufficient restrictions in the Portwell Engineering Toolkits driver to gain arbitrary memory access, potentially resulting in privilege escalation or denial of service on affected Windows systems.
| Vendor Advisory ID | PWS-2026-3437 |
|---|---|
| Vendor | Portwell |
| Product | Portwell Engineering Toolkits |
| CVE Identifier | CVE-2026-3437 |
| Affected Versions | Version 4.8.2 and earlier |
| Fixed Version | Version 5.0.0 |
| Vulnerability Type | CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer |
| Attack Requirements | Local access and authenticated privileges are required |
| Impact | Arbitrary memory access through the Portwell Engineering Toolkits driver, potentially leading to privilege escalation or denial of service |
| Resolution Status | Remediated in Portwell Engineering Toolkits version 5.0.0 |
| NVD CVSS v3.1 | 7.8 High CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CNA CVSS v4.0 | 9.3 Critical CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H |
Portwell Engineering Toolkits version 5.0.0 addresses this issue by hardening the affected driver and restricting unsafe low-level hardware access paths that could otherwise be abused by a local authenticated user.