CVE-2015-8772 – This vulnerability in McAfee File Lock driver a... (How to Fix)

Q: What is the severity of CVE-2015-8772?

CVE-2015-8772 has a CVSS score of 9.1 (CRITICAL). This vulnerability in McAfee File Lock driver allows local users to read sensitive kernel memory or crash the system by sending a specially crafted IOCTL request. It affects systems running McAfee Total Protection with File Lock 5.x. Attackers need local access to exploit this flaw.

📋 TL;DR

This vulnerability in McAfee File Lock driver allows local users to read sensitive kernel memory or crash the system by sending a specially crafted IOCTL request. It affects systems running McAfee Total Protection with File Lock 5.x. Attackers need local access to exploit this flaw.

💻 Affected Systems

Products:

McAfee Total Protection
McAfee File Lock

Versions: McAfee File Lock 5.x with McPvDrv.sys driver version 4.6.111.0

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires McAfee File Lock component to be installed and active.

📦 What is this software?

File Lock by Mcafee

View all CVEs affecting File Lock →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system crash (BSOD) or exposure of sensitive kernel memory contents including passwords, encryption keys, and other privileged data.

🟠

Likely Case

System instability leading to crashes or information disclosure from kernel memory.

🟢

If Mitigated

Limited impact if proper access controls prevent unauthorized local users from executing code.

🌐 Internet-Facing: LOW - Requires local system access, not remotely exploitable.

🏢 Internal Only: MEDIUM - Local attackers or malware could exploit this to crash systems or leak sensitive information.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires local user access and knowledge of driver interaction. Proof of concept code has been publicly disclosed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to McAfee Total Protection with fixed driver version

Vendor Advisory: https://kc.mcafee.com/corporate/index?page=content&id=SB10156

Restart Required: Yes

Instructions:

1. Open McAfee SecurityCenter 2. Click 'Update' 3. Apply all available updates 4. Restart the system 5. Verify McPvDrv.sys version is updated

🔧 Temporary Workarounds

Disable McAfee File Lock

windows

Temporarily disable the vulnerable File Lock component

Open McAfee SecurityCenter
Navigate to 'Real-Time Scanning'
Disable 'File Lock' feature

Restrict driver access

windows

Use Windows security policies to restrict access to the vulnerable driver

Use Group Policy or local security policy to restrict non-admin access to driver operations

🧯 If You Can't Patch

Implement strict local user access controls to prevent unauthorized code execution
Monitor for suspicious driver interaction attempts and system crashes

🔍 How to Verify

Check if Vulnerable:

Check McPvDrv.sys driver version in C:\Windows\System32\drivers\ or using 'driverquery' command

Check Version:

driverquery | findstr McPvDrv

Verify Fix Applied:

Verify McPvDrv.sys version is newer than 4.6.111.0 and no longer exhibits the vulnerability

📡 Detection & Monitoring

Log Indicators:

System crashes (Event ID 41)
Driver access failures
Unexpected IOCTL requests to McPvDrv.sys

Network Indicators:

None - local exploit only

SIEM Query:

EventID=41 AND Source='Microsoft-Windows-Kernel-Power' OR ProcessName contains 'exploit' AND TargetObject contains 'McPvDrv'

📊 Metadata

CVE ID: CVE-2015-8772

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

CWE: CWE-19

Published: January 29, 2016

Last Updated: April 12, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2015-8772, you might also want to check these: