FluxInk Color Management Driver local privilege escalation
Summary
| CVE | CVE-2026-58583 |
|---|---|
| State | PUBLISHED |
| Assigner | cisa-cg |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-07-07 21:17:29 UTC |
| Updated | 2026-07-07 21:17:29 UTC |
| Description | FluxInk (formerly Sunia SPB Peripheral) Color Management Driver (TcnPeripheral64.sys) 1.0.7.2 allows local privilege escalation for a standard user account via arbitrary physical memory mapping at \Device\PhysicalMemory. Fixed in version 1.0.7.6. The fixed driver is currently available in the Windows 11 25H2 HLK (Hardware Lab Kit). The fixed driver may be available through Windows Update or from Lenovo directly. |
Risk And Classification
Primary CVSS: v4.0 8.4 HIGH from 9119a7d8-5eab-497f-8521-727c672e3725
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Problem Types: CWE-269 | CWE-269 CWE-269 Improper Privilege Management
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | 9119a7d8-5eab-497f-8521-727c672e3725 | Secondary | 8.4 | HIGH | CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/C... |
| 4.0 | CNA | DECLARED | 8.4 | HIGH | CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
| 3.1 | 9119a7d8-5eab-497f-8521-727c672e3725 | Secondary | 7.1 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
| 3.1 | CNA | DECLARED | 7.1 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
CVSS v4.0 Breakdown
Attack Vector
LocalAttack Complexity
LowAttack Requirements
NonePrivileges Required
LowUser Interaction
NoneConfidentiality
HighIntegrity
HighAvailability
NoneSub Conf.
NoneSub Integrity
NoneSub Availability
NoneCVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVSS v3.1 Breakdown
Attack Vector
LocalAttack Complexity
LowPrivileges Required
LowUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
NoneCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | FluxInk | Color Management Driver | affected 1.0.7.6 custom | Not specified |
| CNA | FluxInk | Color Management Driver | unaffected 1.0.7.6 | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/b3s3da/TcnPeripheral64_PoC | 9119a7d8-5eab-497f-8521-727c672e3725 | github.com | |
| www.cve.org/CVERecord | 9119a7d8-5eab-497f-8521-727c672e3725 | www.cve.org | |
| github.com/b3s3da/TcnPeripheral64_PoC/security/advisories/GHSA-x4rw-h4v2... | 9119a7d8-5eab-497f-8521-727c672e3725 | github.com | |
| raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-188-01.json | 9119a7d8-5eab-497f-8521-727c672e3725 | raw.githubusercontent.com | |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Julian Horoszkiewicz, Atos Threat Research Center (en)
There are currently no legacy QID mappings associated with this CVE.