LiveActive security incident?Get immediate response
CVE Record

CVE-2018-5277: In Malwarebytes Premium 3.3.1.2183, the driver file (FARFLT.SYS) allows local users to cause a denial of se...

In Malwarebytes Premium 3.3.1.2183, the driver file (FARFLT.SYS) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9c40e000. NOTE: the vendor reported that they "have not been able to reproduce the issue on any Windows operating system version (32-bit or 64-bit).

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

This CVE describes a reported crash issue in an old Malwarebytes Premium driver. A local user may be able to trigger a Windows BSOD through malformed driver input. The vendor reportedly could not reproduce the issue, and the sources do not provide a severity score, confirmed fix, or evidence of active exploitation.

Executive priority

Treat this as a targeted hygiene issue, not an emergency, unless the old Malwarebytes build is widely deployed on shared or user-accessible Windows endpoints. The main business risk is endpoint outage from local denial of service.

Technical view

Malwarebytes Premium 3.3.1.2183 includes FARFLT.SYS, which is reported to insufficiently validate input to IOCTL 0x9c40e000. The stated impact is local denial of service via BSOD, with unspecified other impact possible. Source data lacks CVSS, CWE, complete affected CPEs, and a confirmed vendor reproduction.

Likely exposure

Exposure appears limited to Windows systems running Malwarebytes Premium 3.3.1.2183 with FARFLT.SYS present. The provided affected-product metadata is incomplete, so organizations should rely on endpoint inventory rather than CPE matching alone.

Exploitation context

The CVE references a public proof-of-concept repository, but the bundle does not cite KEV listing or active exploitation. The described attack requires local user access. Vendor reproduction was reportedly unsuccessful, which lowers confidence in practical exploitability.

Researcher notes

The record is sparse and contested by the vendor’s reported inability to reproduce. Avoid assuming privilege escalation or remote reachability from the phrase “unspecified other impact.” Validate exposure through installed version and driver presence, then seek vendor confirmation.

Mitigation direction

  • Inventory endpoints for Malwarebytes Premium 3.3.1.2183 and FARFLT.SYS.
  • Check Malwarebytes guidance or support for affected status and fixed versions.
  • Upgrade or remove obsolete Malwarebytes installations where business-appropriate.
  • Prioritize systems where untrusted users can log in locally.
  • Monitor Windows crash telemetry for FARFLT.SYS-related BSOD events.

Validation and detection

  • Confirm installed Malwarebytes versions through endpoint management data.
  • Verify whether FARFLT.SYS is present on scoped Windows endpoints.
  • Review crash dumps or reliability logs for FARFLT.SYS involvement.
  • Check whether vendor advisories acknowledge a fix or affected build.
  • Document systems where local untrusted user access is possible.
Prepared
Confidence
medium
Sources
3

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2018-5277 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
0Timeline events
0ADP providers
2Source links

CVSS and timeline data

No CVSS vectors or timeline events were available in the normalized CVE source material.

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
n/an/an/aListed
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.