CVE-2024-55414
smserl64.sys -- physical memory mapping in Motorola Soft Modem driver (removed in January 2026 update)
Summary
| Field | Value |
|---|---|
| Driver | smserl64.sys (Motorola Soft Modem) |
| Vulnerability Class | Arbitrary Physical Memory Mapping |
| CVSS | 7.8 |
| Exploited ITW | No |
| Patch Date | January 13, 2026 (driver removed) |
Root Cause
Like its contemporary agrsm64.sys (CVE-2023-31096), the Motorola Soft Modem driver (smserl64.sys) is a legacy kernel component that served hardware no modern system uses. Unlike the Agere driver's stack overflow, the vulnerability in smserl64.sys is more direct: the driver exposes an IOCTL that maps arbitrary physical memory into user-mode address space with no access control checks.
Any local user can open a handle to the driver's device object and request a physical memory mapping at any physical address. The mapping is returned to user mode with read/write permissions. The driver performs no validation of the caller's privileges, no check on the target physical address, and no restriction on the size of the mapping.
This gives the caller unrestricted read/write access to physical memory, which is equivalent to full kernel compromise. Physical memory access bypasses all software-enforced security boundaries: KASLR, page table isolation, kernel object protections, and even some hardware-enforced protections on systems without IOMMU enforcement.
Microsoft removed the driver in the January 2026 cumulative update, the same update that removed agrsm64.sys.
Exploitation
Exploitation is trivial. The attacker opens a handle to the driver's device and sends an IOCTL requesting a physical memory mapping at a chosen address. The driver returns the mapping, and the attacker reads or writes physical memory directly.
With physical memory access, the attacker can scan for kernel structures (page tables, EPROCESS blocks, token objects) by their known signatures, then modify them in place. No kernel virtual address is needed because the attacker operates on physical addresses directly. This bypasses KASLR entirely, since kernel base addresses are a virtual memory concept that does not apply to physical memory scanning.
Exploitation Primitive
Open device handle -> request physical memory mapping
-> arbitrary physical memory R/W -> kernel compromise
(mitigated by driver removal)
Broader Significance
CVE-2024-55414 and CVE-2023-31096 were both removed in the same January 2026 update, representing a coordinated cleanup of legacy modem drivers from the Windows image. These drivers served hardware that peaked in relevance around 2005 and had been essentially dead weight in the kernel for over a decade. Their removal is a welcome development, but it raises the question of how many other legacy drivers with similar vulnerabilities remain in the Windows image. The pattern of "legacy driver ships for years with exploitable primitives, gets quietly removed when someone files a CVE" suggests that proactive auditing of obsolete kernel components would pay dividends.