CVE-2023-31096: Windows Finally Removes Vulnerable Modem Driver

CVE ID: CVE-2023-31096

Severity: HIGH | CVSS: 7.8

Sources: 3 different security sources

Let Me Explain What Happened

Sometimes the best way to fix a security problem is to simply remove the vulnerable component entirely. That's exactly what Microsoft did in their January 2026 Patch Tuesday update. They removed a legacy modem driver that's been sitting in Windows for years with a known vulnerability—one that could let attackers gain complete control of your system. The driver in question, made by Broadcom for old dial-up modems, had a serious stack overflow vulnerability that was documented back in 2023 but never properly patched. Microsoft's solution? Remove it completely from Windows.

A Bit More Detail

The Broadcom LSI PCI-SV92EX Soft Modem driver (specifically the files agrsm64.sys and agrsm.sys) contained a stack overflow vulnerability in how it handled memory operations. According to the Microsoft Security Response Center, this vulnerability allowed attackers who already had limited access to a system to escalate their privileges all the way to SYSTEM level—the highest level of access in Windows. This made it particularly attractive for ransomware operators using "Bring Your Own Vulnerable Driver" (BYOVD) attacks, where they deliberately install vulnerable drivers to bypass security protections.

The Technical Specifics

• Attack Vector: LOCAL (AV:L) - Attacker needs local access to the system
• Attack Complexity: LOW (AC:L) - Easy to exploit once you have access
• Privileges Required: LOW (PR:L) - Only needs basic user privileges to start
• User Interaction: NONE (UI:N) - No user action needed
• Affected Products: Broadcom LSI PCI-SV92EX Soft Modem Kernel Driver through version 2.2.100.1 (AGRSM64.sys)
• CWE: CWE-787 (Out-of-bounds Write)
• Vulnerable IOCTL: 0x1b2150 in RTLCopyMemory function
• CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Why This Vulnerability Was So Dangerous

Let me walk you through why this particular vulnerability was concerning, even though it's been known since 2023. The vulnerability exists in how the driver handles a specific input/output control (IOCTL) request—think of IOCTLs as special commands that programs can send to drivers. When processing IOCTL 0x1b2150, the driver's RTLCopyMemory function didn't properly validate how much data it was copying, leading to a stack overflow.

Here's what made this particularly nasty: An attacker starting with just a medium-integrity process (like a regular user account) could exploit this to gain SYSTEM privileges. Even worse, because the exploit code runs in the kernel with high-integrity privileges, it could bypass kernel-level protections including antivirus software and Protected Process Light (PPL) mechanisms. Security researchers documented this vulnerability being used in coordinated BYOVD ransomware campaigns, where attackers deliberately load vulnerable drivers to disable security tools.

The Timeline: From Discovery to Removal

This vulnerability was first documented publicly in October 2023 by security researcher cschwarz1, who published a detailed technical analysis. However, the driver remained in Windows for over two years. Microsoft finally addressed it in their January 2026 Patch Tuesday release, which according to Tenable's analysis included 113 CVEs total (8 Critical, 105 Important). The Zero Day Initiative also covered this in their January 2026 Security Update Review.

Microsoft's approach was pragmatic: rather than trying to patch a legacy driver for hardware that's essentially obsolete (dial-up modems), they simply removed it. As Microsoft noted in their advisory, "Soft modem hardware dependent on these specific drivers will no longer work on Windows," and they recommend removing any existing dependencies on this hardware.

What You Should Do About This

• Right Now:
  • Apply the January 2026 Windows cumulative update to your systems. This update removes the vulnerable agrsm64.sys and agrsm.sys drivers automatically.
  • Check if you have any systems still using dial-up modem hardware that depends on these drivers. If you do, you'll need to plan for alternative connectivity solutions, as these drivers will no longer function after the update.
  • Review your systems for signs of BYOVD attacks. Look for unexpected driver installations or security tool failures that might indicate this vulnerability was exploited before the patch.
• For the Long Term:
  • Implement driver signature enforcement policies to prevent unauthorized driver installations. This helps protect against BYOVD attacks in general.
  • Consider using Windows Defender Application Control (WDAC) or similar technologies to maintain an allowlist of approved drivers in your environment.
  • Monitor for attempts to load known vulnerable drivers. Many EDR solutions now include BYOVD detection capabilities.
  • Audit your environment for other legacy drivers that might pose similar risks. Just because a driver ships with Windows doesn't mean it's actively maintained or secure.

Detection Guidance

If you're concerned that this vulnerability might have been exploited in your environment before you applied the January 2026 updates, here are some things to look for:

• Check for the presence of agrsm64.sys or agrsm.sys in your driver directories, particularly if they were recently accessed or modified
• Review Windows Event Logs for driver loading events related to these files
• Look for processes that escalated from medium to high integrity unexpectedly
• Monitor for IOCTL calls to 0x1b2150, though this requires specialized kernel monitoring tools
• Check for signs of security tool tampering or unexpected termination of antivirus processes

Going Deeper: MITRE ATT&CK Context

From a threat intelligence perspective, this vulnerability maps to several MITRE ATT&CK techniques:

• T1068 - Exploitation for Privilege Escalation: The primary use case, allowing attackers to move from low-privileged to SYSTEM access
• T1543.003 - Create or Modify System Process: Windows Service: Attackers could use elevated privileges to install persistent services
• T1562.001 - Impair Defenses: Disable or Modify Tools: The ability to bypass kernel-level protections like AV and PPL
• T1611 - Escape to Host: In containerized environments, this could potentially be used as part of an escape chain

The BYOVD attack technique has become increasingly popular among ransomware operators and advanced persistent threat (APT) groups because it allows them to operate with legitimate-looking signed drivers while disabling security controls. This particular driver was attractive because it shipped natively with Windows, meaning it was already present on many systems and wouldn't trigger alerts for new driver installations.

A Final Word of Advice

This case illustrates an important principle in security: sometimes the best patch is removal. Legacy components that are no longer actively used or maintained can become security liabilities. Microsoft made the right call here—rather than investing resources in patching a driver for obsolete hardware, they simply removed the attack surface entirely.

For those of you managing Windows environments, this is a good reminder to periodically audit what's actually running on your systems. Just because something shipped with the operating system doesn't mean you need it, and removing unnecessary components reduces your attack surface. It's like cleaning out your garage—the less stuff you have lying around, the fewer places intruders can hide.

Where I Found This Information

• Microsoft Security Response Center - CVE-2023-31096 Advisory (Credibility: 10)
• Zero Day Initiative - The January 2026 Security Update Review (Credibility: 9)
• Tenable Blog - Microsoft's January 2026 Patch Tuesday Addresses 113 CVEs (Credibility: 8)
• Original vulnerability research by cschwarz1 (Referenced in NVD data)

Note: This is automated security intelligence based on multiple sources. Always test updates carefully before applying them everywhere, especially when they remove functionality that might still be in use in your environment.