rzpnk.sys
Razer Synapse overlay and peripheral kernel driver
rzpnk.sys is the kernel companion to Razer Synapse, one of the most widely deployed pieces of gaming peripheral software in the world. Razer Synapse sits on top of nearly every Razer mouse, keyboard, headset, and RGB device for configuration, lighting profiles, and macro support. The kernel driver exists to support the overlay and hardware-control plumbing that the user-mode utility needs.
The driver has a documented public history. Security researchers disclosed three local privilege-escalation vulnerabilities in 2017 (CVE-2017-9769, CVE-2017-9770, CVE-2017-14398) that let unprivileged users escalate to SYSTEM through the driver's interface. A separate but related 2021 story, surfaced by researcher 'jonhat' and widely covered by BleepingComputer, was the installer-side flaw (CVE-2021-44226): plugging a Razer device into a Windows machine triggered the Synapse installer under SYSTEM, and a command prompt could be spawned from the installer dialog.
If you use Razer peripherals, keep Razer Synapse and rzpnk.sys updated through Synapse's own auto-update. If you find rzpnk.sys on a machine that has never had Razer hardware, the leftover Synapse install is worth investigating. The Razer plug-and-play installer surface is also a physical-access concern for unattended Windows desktops in shared spaces.
rzpnk.sys is listed as a known-vulnerable driver on the public LOLDrivers project. One distinct binary hash matching this filename is on record.
Status data comes from the public LOLDrivers project, a community-curated registry of drivers known to be vulnerable or malicious. The snapshot Vera uses was refreshed July 10, 2026. CVE links go to the NIST National Vulnerability Database.
Vera Project. “rzpnk.sys.” Vera Field Guide (Driver). The Vera Project. https://www.veraproject.xyz/field-guide/drivers/rzpnk-sys
