← All drivers
vulnerable
Driver

winio64.sys

WinIo direct hardware I/O driver

From Yariv Kaplan / WinIo (open source, widely embedded)
Status
On a known-vulnerable list
Known variants
5 distinct hashes
Public CVEs
1
Field notes

WinIo64.sys is a well-known open-source driver that grants user-mode processes direct access to I/O ports, processor MSRs, and physical memory. It has been embedded in countless third-party hardware utilities for years: monitoring tools, RGB controllers, fan utilities, mining helpers, OEM diagnostics.

It is on the LOLDrivers list because the driver does not restrict the privileges of the caller. Any local user able to talk to it can use those I/O primitives. CVE-2024-55407 covers the specific WinIO64.sys build distributed by ITE for IO access, and Microsoft added it to the Vulnerable Driver Blocklist.

Its presence usually means a hardware utility that bundled WinIo. Identify which utility shipped it (Sysinternals' AutoRuns can help, or check the driver's properties for a vendor name), and update or remove accordingly.

What the record shows

winio64.sys is listed as a known-vulnerable driver on the public LOLDrivers project. 5 distinct binary hashes matching this filename are on record, meaning multiple versions of the file have been observed.

Public CVEs
What this means, plainly
Presence is not proof of misuse. Driver files on the LOLDrivers list commonly ship with legitimate hardware tools, gaming software, or vendor utilities. Their presence is recorded as evidence on a record. It is never treated as a verdict about a person.
Source

Status data comes from the public LOLDrivers project, a community-curated registry of drivers known to be vulnerable or malicious. The snapshot Vera uses was refreshed July 10, 2026. CVE links go to the NIST National Vulnerability Database.

Cite this entry

Vera Project. “winio64.sys.” Vera Field Guide (Driver). The Vera Project. https://www.veraproject.xyz/field-guide/drivers/winio64-sys