← All drivers
vulnerable
Driver

rtcore64.sys

MSI Afterburner / MSI Center kernel driver

From Micro-Star International (MSI)
Part of the MSI family
Status
On a known-vulnerable list
Known variants
35 distinct hashes
Public CVEs
2
Field notes

RTCore64.sys is the kernel driver that ships with MSI Afterburner and MSI Center, MSI's hardware monitoring and overclocking tools. Millions of gamers have it on their machines because Afterburner is the de facto utility for fan curves, GPU tuning, and on-screen overlays.

Older versions are on the public LOLDrivers list because of CVE-2019-16098: any local user on the machine can read and write arbitrary kernel memory, I/O ports, and processor model-specific registers through the driver's IOCTL interface. The same low-level access that lets Afterburner read GPU temperatures is the access that, in the vulnerable build, anything else on the machine could use.

Why it persists: MSI patched newer Afterburner releases, but the older signed driver still loads on modern Windows. Code-signing certificates are not revoked on a driver vulnerability the way an SSL certificate would be, and even when revoked, Windows still loads signed drivers. Updating Afterburner does not retroactively remove the older driver from every machine that ever installed it.

On the public record: security researchers (Picus, Sophos, SC Media) have documented criminal data-extortion groups dropping RTCore64.sys onto already-compromised systems and using it to disable endpoint protection products before encrypting files. The driver's presence on a gamer's machine is overwhelmingly the legitimate MSI utility; on an incident-response engagement it is one of the well-known tools attackers bring with them.

If this driver is on your system, the simplest explanation is that you have MSI hardware and installed the legitimate MSI utilities. Update MSI Center to the current version; if Windows' own Vulnerable Driver Blocklist starts complaining about an older Afterburner install, that is the same signal, and the same fix.

What the record shows

rtcore64.sys is listed as a known-vulnerable driver on the public LOLDrivers project. 35 distinct binary hashes matching this filename are on record, meaning multiple versions of the file have been observed.

What this means, plainly
Presence is not proof of misuse. Driver files on the LOLDrivers list commonly ship with legitimate hardware tools, gaming software, or vendor utilities. Their presence is recorded as evidence on a record. It is never treated as a verdict about a person.
Related drivers

Other drivers in the MSI family. See the whole family →

Source

Status data comes from the public LOLDrivers project, a community-curated registry of drivers known to be vulnerable or malicious. The snapshot Vera uses was refreshed July 10, 2026. CVE links go to the NIST National Vulnerability Database.

Cite this entry

Vera Project. “rtcore64.sys.” Vera Field Guide (Driver). The Vera Project. https://www.veraproject.xyz/field-guide/drivers/rtcore64-sys