winflash64.sys
Phoenix WinFlash BIOS-flashing driver
WinFlash64.sys is a BIOS-flashing driver from Phoenix Technologies, used by various OEM firmware-update tools that delegate to Phoenix's WinFlash utility. It is on the LOLDrivers list because BIOS-flash drivers expose very low-level access by design. The same primitives a firmware update needs are the primitives that a firmware attacker needs.
The vulnerability was significant enough that Microsoft added it to the Vulnerable Driver Blocklist; in some Windows 11 builds, the inclusion has caused legitimate WinFlash-based BIOS updates to be blocked. That is the intended trade-off: the blocklist favors keeping the kernel safe over keeping every OEM firmware tool working.
If you find it on a system after a recent BIOS update, that is the expected install footprint. If a BIOS update is currently failing because Windows blocks WinFlash, your OEM almost certainly has a newer firmware-update path; check their support page.
winflash64.sys is listed as a known-vulnerable driver on the public LOLDrivers project. 4 distinct binary hashes matching this filename are on record, meaning multiple versions of the file have been observed.
Status data comes from the public LOLDrivers project, a community-curated registry of drivers known to be vulnerable or malicious. The snapshot Vera uses was refreshed July 10, 2026. CVE links go to the NIST National Vulnerability Database.
Vera Project. “winflash64.sys.” Vera Field Guide (Driver). The Vera Project. https://www.veraproject.xyz/field-guide/drivers/winflash64-sys
