MSI Feature Manager contains a local privilege escalation vulnerability in the KernCoreLib64.sys kernel driver that allows any locally logged-on user to perform arbitrary physical memory read/write and unrestricted I/O port operations by accessing exposed IOCTL handlers without administrator privileges. Attackers can exploit the accessible device object through IOCTL handlers to manipulate kernel objects, tamper with kernel-mode callbacks, bypass Protected Process Light protections, and disable security software.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
CVE-2026-57851 represents a critical local privilege escalation vulnerability in MSI Feature Manager's KernCoreLib64.sys kernel driver. The vulnerability exposes IOCTL handlers that lack proper access controls, enabling any locally authenticated user to perform arbitrary physical memory read/write operations and unrestricted I/O port access without administrator privileges. This is particularly dangerous because it bypasses Windows security boundaries—attackers can manipulate kernel objects, tamper with kernel-mode callbacks, and disable Protected Process Light (PPL) protections that are designed to shield critical security processes. Organizations running MSI Feature Manager across enterprise environments face significant risk, as the barrier to exploitation is minimal: an attacker needs only local access, not elevated privileges.
While this CVE currently has zero mapped Casky skills, practitioners should monitor for attack patterns associated with kernel exploitation and privilege escalation. Detection would focus on observing CWE-782 (Exposed IOCTL with Insufficient Access Control) manifestations through Privilege Escalation and Defense Evasion techniques. Security teams should hunt for suspicious device driver interactions, IOCTL call sequences targeting KernCoreLib64.sys, unexpected kernel memory access patterns, and attempts to disable or bypass Protected Process Light. When Casky's extended reasoning capabilities map additional MITRE techniques to this vulnerability, practitioners will gain visibility into process injection patterns, kernel callback manipulation, and attempts to modify security software behavior—enabling proactive detection before exploitation occurs in their environment.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-57851. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation