What starting position does this attack require?

The first step is Renderer RCE already achieved (T1190) — a initial access primitive. Assumed environment: target endpoint has a graphics driver / kernel with a known IOCTL flaw the GPU process can reach.

What is the final impact of this kill-chain?

The final step lands on GPU process sends crafted IOCTL (BRW-GPU-IOCTL), which falls under Privilege Escalation. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 5 steps · 4 edges

Approved

Renderer compromise → GPU process → vulnerable kernel driver

After renderer RCE, talk to the GPU process via IPC. GPU process sends ioctls to a vulnerable graphics driver — full kernel R/W; ring0 from a web page.

Filed by AD Knowledge BasePublished 2026-05-27

§ Kill-chainDrag · zoom · scroll

Initial Access

Renderer RCE already achieved

T1190 · Exploit Public-Facing Application

Initial Access

SYSTEM / root on the host

T1078 · Valid Accounts

Defense Evasion

Kernel driver UAF / OOB → ring0 R/W

EDR-BYOVD · BYOVD — Bring-Your-Own-Vulnerable-Driver

Privilege Escalation

Talk to GPU process via Mojo IPC

BRW-RENDERER-SBX-ESCAPE · Renderer → Broker Sandbox Escape

Privilege Escalation

GPU process sends crafted IOCTL

BRW-GPU-IOCTL · GPU Process Driver IOCTL Escape

§ Context

Assumed environment: target endpoint has a graphics driver / kernel with a known IOCTL flaw the GPU process can reach. Common on outdated Windows + Intel/AMD GPU stacks.

§ Steps

01
Renderer RCE already achievedInitial Access
T1190— Exploit Public-Facing Application
02
SYSTEM / root on the hostInitial Access
T1078— Valid Accounts
03
Kernel driver UAF / OOB → ring0 R/WDefense Evasion
EDR-BYOVD— BYOVD — Bring-Your-Own-Vulnerable-Driver
04
Talk to GPU process via Mojo IPCPrivilege Escalation
BRW-RENDERER-SBX-ESCAPE— Renderer → Broker Sandbox Escape
05
GPU process sends crafted IOCTLPrivilege Escalation
BRW-GPU-IOCTL— GPU Process Driver IOCTL Escape

§ References

T1190Exploit Public-Facing Application
T1078Valid Accounts

§ Frequently asked

What is the "Renderer compromise → GPU process → vulnerable kernel driver" attack path?: After renderer RCE, talk to the GPU process via IPC. GPU process sends ioctls to a vulnerable graphics driver — full kernel R/W; ring0 from a web page. It chains 5 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Renderer RCE already achieved (T1190) — a initial access primitive. Assumed environment: target endpoint has a graphics driver / kernel with a known IOCTL flaw the GPU process can reach.
What is the final impact of this kill-chain?: The final step lands on GPU process sends crafted IOCTL (BRW-GPU-IOCTL), which falls under Privilege Escalation. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

Renderer compromise → GPU process → vulnerable kernel driver

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

Dev workstation → cloud backup keys → encrypted vault store (LastPass 2022)

BYOVD → kernel-level disable of EDR callbacks