CVE-2026-4416

The Performance Library component of Gigabyte Control Center has an Insecure Deserialization vulnerability. Authenticated local attackers can send a malicious serialized payload to the EasyTune Engine service, resulting in privilege escalation.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.twcert.org.tw/en/cp-139-10806-fbc4a-2.html	Third Party Advisory
https://www.twcert.org.tw/tw/cp-132-10805-a53f6-1.html	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:gigabyte:performance_library:*:*:*:*:*:*:*:*

History

08 Apr 2026, 19:23

Type	Values Removed	Values Added
References	~~() https://www.twcert.org.tw/en/cp-139-10806-fbc4a-2.html -~~	() https://www.twcert.org.tw/en/cp-139-10806-fbc4a-2.html - Third Party Advisory
References	~~() https://www.twcert.org.tw/tw/cp-132-10805-a53f6-1.html -~~	() https://www.twcert.org.tw/tw/cp-132-10805-a53f6-1.html - Third Party Advisory
First Time		Gigabyte Gigabyte performance Library
CPE		cpe:2.3:a:gigabyte:performance_library::::::::
Summary		(es) El componente Performance Library de Gigabyte Control Center tiene una vulnerabilidad de deserialización insegura. Atacantes locales autenticados pueden enviar una carga útil serializada maliciosa al servicio EasyTune Engine, lo que resulta en escalada de privilegios.

30 Mar 2026, 08:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-30 08:16

Updated : 2026-04-08 19:23

NVD link : CVE-2026-4416

Mitre link : CVE-2026-4416

CVE.ORG link : CVE-2026-4416

JSON object : View

Products Affected

gigabyte

performance_library

CWE

CWE-502

Deserialization of Untrusted Data

{"id": "CVE-2026-4416", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "twcert@cert.org.tw", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}], "cvssMetricV40": [{"type": "Secondary", "source": "twcert@cert.org.tw", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.5, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-30T08:16:18.360", "references": [{"url": "https://www.twcert.org.tw/en/cp-139-10806-fbc4a-2.html", "tags": ["Third Party Advisory"], "source": "twcert@cert.org.tw"}, {"url": "https://www.twcert.org.tw/tw/cp-132-10805-a53f6-1.html", "tags": ["Third Party Advisory"], "source": "twcert@cert.org.tw"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "twcert@cert.org.tw", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "The Performance Library component of Gigabyte Control Center has an Insecure Deserialization vulnerability. Authenticated local attackers can send a malicious serialized payload to the EasyTune Engine service, resulting in privilege escalation."}, {"lang": "es", "value": "El componente Performance Library de Gigabyte Control Center tiene una vulnerabilidad de deserializaci\u00f3n insegura. Atacantes locales autenticados pueden enviar una carga \u00fatil serializada maliciosa al servicio EasyTune Engine, lo que resulta en escalada de privilegios."}], "lastModified": "2026-04-08T19:23:47.020", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gigabyte:performance_library:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "90A2231A-3F0C-42F6-B9F9-8B62715C77B3", "versionEndExcluding": "25.12.31.01"}], "operator": "OR"}]}], "sourceIdentifier": "twcert@cert.org.tw"}