← All drivers
vulnerable
Driver

dbutil_2_3.sys

Dell firmware-update driver (the one that made the news)

From Dell Technologies
Part of the Dell family
Status
On a known-vulnerable list
Known variants
3 distinct hashes
Public CVEs
1
Field notes

dbutil_2_3.sys is a Dell driver used by firmware and BIOS update utilities such as Dell Command Update. It is on the LOLDrivers list because of CVE-2021-21551, a well-publicized cluster of memory-corruption and arbitrary read/write flaws disclosed by SentinelLabs in 2021, and present in the driver since 2009. The vulnerable driver shipped on hundreds of millions of Dell systems for over a decade before the disclosure.

Why it persists: Dell published a remediation advisory and a patched driver, but the older signed binary still loads on modern Windows. Removal involves running Dell's cleanup utility or manually deleting the driver file and registry entries; many systems still have copies on disk.

On the public record: dbutil_2_3.sys is one of the most-cited BYOVD targets in published security research from 2021 onward. It has been documented in incident-response reports as a driver attackers brought with them after initial compromise to disable endpoint protection. Microsoft added explicit blocks for it to the Vulnerable Driver Blocklist.

It is common on Dell systems where Dell Command Update or similar tools were installed. Follow Dell's published remediation, then update Dell's current software for your hardware.

What the record shows

dbutil_2_3.sys is listed as a known-vulnerable driver on the public LOLDrivers project. 3 distinct binary hashes matching this filename are on record, meaning multiple versions of the file have been observed.

Public CVEs
What this means, plainly
Presence is not proof of misuse. Driver files on the LOLDrivers list commonly ship with legitimate hardware tools, gaming software, or vendor utilities. Their presence is recorded as evidence on a record. It is never treated as a verdict about a person.
Related drivers

Other drivers in the Dell family. See the whole family →

Source

Status data comes from the public LOLDrivers project, a community-curated registry of drivers known to be vulnerable or malicious. The snapshot Vera uses was refreshed July 10, 2026. CVE links go to the NIST National Vulnerability Database.

Cite this entry

Vera Project. “dbutil_2_3.sys.” Vera Field Guide (Driver). The Vera Project. https://www.veraproject.xyz/field-guide/drivers/dbutil-2-3-sys