CVE-2023-31096
agrsm64.sys -- stack overflow in Agere Soft Modem driver (removed in January 2026 update)
Summary
| Field | Value |
|---|---|
| Driver | agrsm64.sys (Agere Soft Modem) |
| Vulnerability Class | Buffer Overflow (Stack) |
| CVSS | 7.8 |
| Exploited ITW | No |
| Patch Date | January 13, 2026 (driver removed) |
Root Cause
The Agere Soft Modem driver (agrsm64.sys) is a legacy component that has shipped with Windows for years, providing software-based modem functionality on systems with compatible Agere/LSI chipsets. Despite the near-extinction of dial-up modems, the driver remained in the Windows image.
When processing certain crafted input, the driver copies data onto the kernel stack without adequate bounds checking. The input length is attacker-controlled, and there is no cap on how much data gets written to the stack buffer. A sufficiently large input overwrites the return address and adjacent stack frames, giving the attacker control over the instruction pointer in kernel context.
Rather than issuing a targeted patch for this legacy code, Microsoft chose to remove agrsm64.sys entirely in the January 2026 cumulative update. This is an increasingly common approach for drivers that serve obsolete hardware and carry more security risk than functional value.
Exploitation
An attacker with local access sends crafted input to the soft modem driver's device object. The stack overflow provides direct kernel code execution by overwriting the return address. Standard kernel stack exploitation techniques apply: the attacker can pivot to a ROP chain or shellcode placed in a controlled buffer, ultimately achieving arbitrary code execution at ring 0.
From kernel code execution, any privilege escalation or persistence technique is available. The most common path is token manipulation on the attacking process's EPROCESS structure for SYSTEM access.
Exploitation Primitive
Crafted modem input -> stack overflow -> kernel code execution
(mitigated by driver removal)
Broader Significance
This CVE illustrates the long tail of legacy driver risk. The Agere Soft Modem driver served hardware that essentially no modern system uses, yet it remained in the Windows image for years, expanding the kernel attack surface for no practical benefit. Microsoft's decision to remove it rather than patch it reflects a broader trend of pruning unused kernel-mode code. The same January 2026 update also removed smserl64.sys (CVE-2024-55414), another obsolete modem driver with an arbitrary physical memory mapping vulnerability. These removals suggest Microsoft is actively auditing its driver inventory for dead-weight attack surface.