Riot Games spent the first half of 2026 rewriting the rules for Vanguard, the kernel-level anti-cheat driver that runs underneath Valorant and League of Legends – and player sentiment swung from outrage to grudging relief and back again. In December 2025, Riot’s own security researchers disclosed a UEFI firmware flaw serious enough to earn four separate CVE identifiers. In May 2026, an update built to defeat $6,000 direct-memory-access (DMA) cheat hardware went viral after Riot mocked cheaters on social media. And on June 24, 2026, Riot did something almost no kernel-level anti-cheat vendor has done before: it made the driver optional for players whose PCs meet a strict, modern hardware bar.
The result is the most consequential run of changes to PC gaming’s most scrutinized security software since Vanguard first shipped alongside Valorant in 2020. It also lands in the middle of a broader industry shift: Electronic Arts, Activision, and Epic Games have all leaned harder on kernel-level or hardware-gated anti-cheat over the past year, while independent security researchers keep asking the same uncomfortable question – at what point does software built to stop cheating start looking like the exact rootkit behavior it exists to prevent?
A Vanguard Anti-Cheat Reckoning, Seven Months in the Making
In the space of seven months, Vanguard went from a fresh vulnerability disclosure, to a viral bricking controversy, to voluntarily giving up its most criticized behavior. The table below lays out how fast the story moved, starting with the industry context that set the stage.
| Date | Development | Why it matters |
|---|---|---|
| April 2024 | Vanguard becomes mandatory for League of Legends | Kernel-level access expands from Valorant’s dedicated shooter audience to LoL’s much larger, more casual player base |
| October 10, 2025 | Battlefield 6 launches with EA’s kernel-level Javelin anti-cheat | A second major publisher normalizes always-on kernel drivers on PC |
| December 18–19, 2025 | Riot discloses a UEFI Pre-Boot DMA Protection flaw across four motherboard vendors | Four CVEs issued; a VAN:Restriction error begins blocking unpatched PCs from Valorant |
| February 19, 2026 | Epic Games adds IOMMU to Fortnite’s tournament hardware requirements | The same DMA-attack rationale as Riot’s spreads to a second major title |
| May 21, 2026 | A Vanguard update uses IOMMU to corrupt DMA cheat hardware firmware | Riot’s “$6k paperweight” social post goes viral and is widely misread as bricking player PCs |
| June 24, 2026 | Riot launches Vanguard On-Demand | First time a major kernel-level anti-cheat becomes optional for qualifying hardware |
Two threads run through all three Vanguard episodes. First, the vulnerability, the crackdown, and the relief measure all involve the same hardware feature: IOMMU, the chipset-level component that decides which devices can read or write which regions of memory. Second, each episode asked a PC to place more trust in its own firmware, not less – a pattern that is starting to define kernel-level anti-cheat generally in 2026, not just at Riot.
The UEFI Flaw That Started It: Four CVEs and a “Sleeping Bouncer”
The saga’s first chapter began quietly. Riot’s security team found that motherboards from four of the PC industry’s largest vendors – Asus, Gigabyte, MSI, and ASRock – shipped firmware that misreported the state of Pre-Boot DMA Protection, the mechanism meant to stop a malicious PCIe device from reading or writing system memory before Windows even loads. Riot’s own write-up on the flaw put it in characteristically informal terms: the system’s “bouncer” appeared to be on duty, but was actually asleep in the chair.
The bug earned four separate CVE identifiers – CVE-2025-11901 (Asus), CVE-2025-14302 (Gigabyte), CVE-2025-14303 (MSI), and CVE-2025-14304 (ASRock) – plus a coordinated CERT/CC advisory, VU#382314. CERT/CC described the underlying defect in dry, exacting language: “Even though firmware asserts that DMA protections are active, it fails to properly configure and enable the IOMMU during the early hand-off phase in the boot sequence.”
Because the flaw requires physical access to exploit – an attacker needs to physically connect a malicious PCIe device before the operating system boots – it is a niche threat for an average office PC, as BleepingComputer and TechRadar both noted in their coverage. For competitive gaming, though, it is exactly the attack surface that expensive direct-memory-access cheat cards are built to exploit. Riot worked with all four vendors on corrected firmware, then began enforcing it: PCs still running vulnerable firmware with IOMMU disabled now hit a VAN:Restriction error that blocks Valorant from launching until the player updates their motherboard’s UEFI or enables the protection Riot requires.
IOMMU 101: The Memory Firewall Every Anti-Cheat Now Wants Enabled
IOMMU – the Input-Output Memory Management Unit – is a CPU and chipset feature that restricts which memory addresses a connected PCIe device is allowed to touch. Without it, any device in a PCIe slot or Thunderbolt port can, in principle, read or write anywhere in system memory via direct memory access, bypassing the CPU and any software-based monitoring entirely. That is what a DMA cheat card does: it sits on a second, cheap PC or a dedicated FPGA board, reads the target game’s memory over a PCIe link to find player positions, and feeds that to a cheater without ever running a detectable process inside the game’s own machine.
Because DMA cheats never execute inside the monitored game process, traditional software anti-cheat has almost no way to see them – which is why Riot, and now Epic Games with Fortnite’s expanded tournament requirements, have concluded the real fix sits below the operating system, in firmware and chipset configuration. Most gaming PCs ship with IOMMU off by default, since enabling it can cost a few percent of frame rate and has no benefit for players who never touch a tournament. Turning it on means digging into UEFI settings most players have never opened – exactly the friction that turned Vanguard’s December 2025 enforcement into a support headache before it became a viral story.
The $6,000 Paperweight: Inside May’s Bricking Controversy
On May 21, 2026, Riot shipped a Vanguard update that went further than blocking DMA cheat devices – it actively disabled them. Using the same IOMMU protections at the center of the December disclosure, the update forces repeated page faults and restarts against any DMA device attempting to attach over SATA or NVMe, which corrupts the firmware running on the device’s FPGA chip and, in many cases, the drive attached to it. The devices in question are specialized, purpose-built cheat hardware that reportedly sell for around $6,000 – not general-purpose PC components.
“Congrats to the owners of a brand new $6k paperweight.”
Riot Games, official social media post on the DMA-cheat firmware block, reported by Tom’s Hardware (May 2026)
The line went viral instantly, and not entirely in the way Riot intended. As Dexerto reported, a large share of the reaction assumed Vanguard was now capable of bricking an entire gaming PC, not just a cheat card – some players argued that intentionally disabling hardware “should be illegal” and floated the idea of a class-action lawsuit, while others cheered the aggressive stance against cheaters. Riot moved quickly to clarify the scope of what had actually happened.
“Vanguard does not damage hardware or disable your devices.” Riot added that IOMMU must simply stay enabled to play any Riot game going forward, and that the “paperweight” comment referred only to VALORANT cheat devices that no longer function – not to permanently destroyed player hardware.
Riot Games clarification, as reported by Dexerto and Tom’s Hardware
Vanguard On-Demand: How Riot’s “Trust Segmentation” Works
Five weeks after the paperweight controversy, Riot pivoted from escalation to a genuine concession. Since Vanguard’s 2020 debut, its defining – and most criticized – behavior has been that the driver loads with Windows itself and keeps running at all times, whether or not a Riot game is open. On June 24, 2026, Riot announced Vanguard On-Demand, which ends that always-on requirement for PCs that clear a specific hardware-and-software bar: Windows 11 version 25H2, Secure Boot, TPM 2.0, Virtualization-Based Security (VBS), Hypervisor-Protected Code Integrity (HVCI), and IOMMU, all enabled simultaneously. On a qualifying PC, Vanguard’s kernel driver now loads only when Valorant or League of Legends actually launches, and unloads again on exit.
“Starting later today, the universally beloved anti-cheat product, Vanguard, will begin to support on-demand sessions from all sufficiently secured PC devices.” Riot added that “by opting into pre-boot security mechanisms and Windows’ own native protection features, Vanguard can safely end its watch.”
Philip Koskinas, Director of Anti-Cheat, Riot Games, via Notebookcheck (June 24, 2026)
The mechanism behind the switch is a new Windows security primitive rather than anything Riot built alone: a Runtime Driver Attestation Report, which Notebookcheck’s reporting attributes to a Microsoft feature developed with input from its Xbox OS security team. Instead of trusting Vanguard to police itself at all times, Windows attests – cryptographically, at the platform level – that the security stack around the driver is intact, and only then allows the on-demand model to substitute for continuous kernel monitoring.
The 35/62/3 Split: Who Actually Gets the Upgrade
Vanguard On-Demand is opt-in, not mandatory, and Riot’s own numbers show why that matters. According to Notebookcheck’s reporting on the launch, roughly 35% of the player base already met every requirement automatically at launch and could switch immediately after updating Vanguard. A further 62% can reach on-demand mode by manually enabling settings such as Secure Boot, TPM, or VBS that their hardware already supports but that were left off – often because motherboard manufacturers still ship with these features disabled out of the box. The remaining roughly 3% are on hardware too old to support the requirements at all, and will keep running Vanguard exactly as they do today: always-on, from the moment Windows starts.
Riot’s own announcement separately described the automatically-qualifying share as growing by roughly 1–2 percentage points a month as players update Windows, BIOS, and drivers – meaning the 35% figure is a floor, not a ceiling, for how many players will eventually get the lighter-touch experience without changing a single setting. Crucially, players who do nothing are not penalized or blocked; they simply continue on the anti-cheat model Vanguard has used since 2020.
How to Check If Your PC Qualifies
Three of the five On-Demand requirements can be checked from Windows itself in under a minute. IOMMU (labeled “VT-d” on Intel boards or “AMD-Vi”/SVM on AMD boards) and the exact Windows build number generally need to be confirmed separately, in UEFI/BIOS settings and via Windows Update respectively.
# Check Secure Boot status (should return True)
Confirm-SecureBootUEFI
# Check TPM presence and readiness
Get-Tpm
# Check Virtualization-Based Security / HVCI status
msinfo32
# In System Summary, look for "Device Guard Virtualization based security"
# and "Device Guard Hypervisor enforced Code Integrity" – both should say "Running"
If any of these come back negative, the fix is usually a UEFI setting rather than new hardware – most PCs built since roughly 2019 support Secure Boot and TPM 2.0 but ship with one or both switched off.
Kernel-Mode Anti-Cheat, Explained: Ring 0 and the Trust Problem
“Kernel-level” refers to Ring 0, the most privileged execution mode on a Windows PC – the same layer the operating system itself runs in, with unrestricted access to memory, hardware, and every running process. Anti-cheat vendors want that access because the most sophisticated cheats, including DMA cheats and kernel-mode aimbots, are designed to hide from anything running at the more restricted user level, where ordinary applications – and older, weaker anti-cheat software – operate. A driver running at Ring 0 can see what a cheat running at Ring 0 sees.
The trade-off is that a kernel driver is, functionally, as trusted as the operating system itself. If it has a bug, that bug is a kernel-level bug; if it is compromised, the compromise has kernel-level reach. As background reporting on kernel-level anti-cheat explains, that is what separates this generation of anti-cheat from earlier, user-mode-only tools – and why every decision Riot, EA, and Activision make about their drivers gets treated as a security story, not just a gaming one.
The 2026 Anti-Cheat Landscape, Head to Head
Vanguard is not the only kernel-level anti-cheat asking for deeper hardware trust in 2026. The table below compares the major systems currently protecting competitive PC gaming.
| Anti-cheat | Publisher/owner | Kernel access | Boot behavior (2026) | Linux/SteamOS |
|---|---|---|---|---|
| Vanguard | Riot Games | Yes (Ring 0) | On-Demand (opt-in) or always-on (default) | Not supported |
| Javelin | Electronic Arts | Yes (Ring 0) | Always-on | Not yet; Linux/Proton support reportedly in development |
| Ricochet | Activision | Yes (Ring 0) | Always-on | Not supported |
| Easy Anti-Cheat | Epic Games | Kernel or user-mode, developer’s choice | Varies by title | Yes, when the developer opts in |
| BattlEye | BattlEye Innovations | Kernel or user-mode, developer’s choice | Varies by title | Yes, when the developer opts in |
| FACEIT AC | FACEIT | Yes (Ring 0) | Always-on during matches | Not supported |
The pattern is consistent: anti-cheat systems built and owned directly by a single publisher – Vanguard, Javelin, Ricochet, FACEIT AC – default to the strictest, most Windows-specific implementations. The two systems licensed out to many developers, Easy Anti-Cheat and BattlEye, are also the two with a real path to Linux, because Valve has spent years working directly with both companies to ship Proton-compatible builds that individual game studios can then choose to enable.
EA’s Javelin and the Battlefield 6-Valorant Turf War
EA’s own kernel-level anti-cheat, Javelin, launched alongside Battlefield 6 on October 10, 2025, and by EA’s own reporting has been aggressive in its first months. Per coverage from Windows Central, Javelin has blocked 2.39 million cheat attempts since launch, detected 190 distinct cheat sellers and programs, and confirmed that 183 of those – 96.3% – have since reported failures or announced takedowns. In Battlefield 6’s opening week, the game’s Match Infection Rate – the share of matches with a detected cheater present – sat at roughly 2%, meaning about 98% of matches were cheater-free.
Javelin’s aggressiveness has a side effect Vanguard never had to contend with at this scale: the two drivers actively conflict. As PC Gamer reported, Battlefield 6 won’t allow a Valorant client to keep running at the same time, because both drivers try to protect overlapping regions of system memory using the same low-level technique. Players who keep Valorant open in the background while queueing for other games now face a hard choice between the two titles.
Fortnite Joins the Arms Race: Secure Boot, TPM, and Now IOMMU
Epic Games has taken a narrower but parallel path. Fortnite has required Secure Boot and TPM for its higher-tier tournaments since February 27, 2025; on February 19, 2026, Epic expanded that requirement to add IOMMU across all tournament-level PC play, citing the same DMA-cheat rationale Riot used to justify Vanguard’s own enforcement. Epic has been explicit that IOMMU protects game memory from cheat hardware attempting direct memory access – language that reads almost identically to Riot’s own reasoning.
The key difference is scope. Fortnite’s requirements apply only to tournament participants, leaving casual players untouched, and run through Easy Anti-Cheat rather than a bespoke, always-on kernel driver. Vanguard’s requirements apply to every ranked Valorant match, and since 2024, to League of Legends as well – regardless of whether a player has ever entered a paid tournament.
Locked Out: Why Linux, Steam Deck, and Steam Machine Can’t Play
Vanguard, Javelin, and Ricochet share one more trait: none of them run on SteamOS. Valve has spent years courting Easy Anti-Cheat and BattlEye toward Linux and Proton compatibility, but publishers that require Windows-native kernel drivers with platform attestation have no equivalent path today, as Windows Central detailed in its look at anti-cheat compatibility on Valve’s newly launched Steam Machine. Practically, that means Valorant, League of Legends, Battlefield 6, and every Call of Duty title released since Ricochet’s introduction simply will not run on a Steam Deck or the new Steam Machine, regardless of how the Linux gaming stack around them – SteamOS, Proton, and community projects like Bazzite – continues to mature.
There are early signs of movement: a public EA job listing seeks engineers to build a native ARM driver for Javelin and “chart a path” toward Linux and Proton support. But as of this writing, none of the three kernel-level, single-publisher anti-cheat systems have shipped Linux support, even as the broader SteamOS handheld ecosystem keeps expanding into more of the PC market.
When Anti-Cheat Becomes the Threat: Rootkits and Precedent
Security researchers did not start scrutinizing kernel-level anti-cheat because of Vanguard specifically – the industry has a decade-plus track record of privileged anti-cheat software being abused, misused, or weaponized well beyond its original purpose.
| Year | Incident | System | Outcome |
|---|---|---|---|
| 2013 | Anti-cheat client secretly mined Bitcoin across 14,000 PCs | ESEA client | $1 million settlement with the State of New Jersey |
| 2020 | Public proof-of-concept showed arbitrary kernel-memory read/write and process-kill capability | Genshin Impact’s mhyprot2.sys driver | Exploit code published; driver persisted even after game uninstall |
| 2022 | A ransomware operator used the same driver to disable antivirus before deploying ransomware | mhyprot2.sys (BYOVD attack) | Confirmed by Trend Micro; the driver’s code-signing certificate was never revoked |
| 2024 | Academic study evaluated four major kernel-level anti-cheats for rootkit-like behavior | Vanguard, FACEIT AC, EAC, BattlEye | Two of the four were found to exhibit rootkit-like behavior threatening privacy and system integrity |
| Dec 2025–2026 | UEFI firmware flaw let cheat hardware bypass DMA protection undetected | Vanguard / four motherboard vendors | Four CVEs issued, CERT/CC advisory, mandatory firmware enforcement |
The starkest example remains 2022’s abuse of mhyprot2.sys, the kernel driver HoYoverse shipped with Genshin Impact in 2020 to catch cheaters. Proof-of-concept code showed the driver could read and write arbitrary kernel memory and kill protected processes – including antivirus software – from user mode, and it kept working even on machines that had never installed Genshin Impact. In 2022, Trend Micro confirmed a ransomware operator doing exactly that: dropping the validly-signed driver onto a target machine, using it to kill endpoint protection, then deploying ransomware unopposed – a textbook “Bring Your Own Vulnerable Driver,” or BYOVD, attack.
More directly relevant to Vanguard, a 2024 academic paper – “If It Looks Like a Rootkit and Deceives Like a Rootkit: A Critical Examination of Kernel-Level Anti-Cheat Systems,” by researchers Christoph Dorner and Lukas Daniel Klausner, presented at the ACM ARES conference – evaluated four widely deployed kernel-level anti-cheats and found two exhibited behavior indistinguishable, technically, from a rootkit: extensive, largely undocumented system-wide monitoring, filesystem filters watching all file operations, and callbacks firing on every process and DLL load across the entire machine, not just the protected game. The authors framed this as a structural problem with the software category, not proof of malicious intent – but for a driver class already running on tens of millions of PCs, the line between “trusted security software” and “rootkit-like behavior” is exactly the debate this year’s Vanguard changes reopened.
The 2024 mandatory rollout of Vanguard to League of Legends followed the same pattern of escalating scope drawing escalating scrutiny: extending kernel-level requirements to LoL’s much larger, more casual player base produced widespread backlash, including Linux players locked out entirely and a wave of “bricked computer” reports – a dry run for the bigger controversy Vanguard would generate again in May 2026.
Market Impact and Five Predictions for 2027
Taken together, 2026’s Vanguard saga is a story about the rising cost – in money and configuration effort – of being a competitive PC gamer. Modern anti-cheat now effectively requires a motherboard and CPU capable of Secure Boot, TPM 2.0, VBS, HVCI, and IOMMU, all correctly configured, on top of whatever a player already spends on the GPU and memory needed to run the game itself. That bar is arriving as gaming PC components have gotten meaningfully more expensive industry-wide, making security compliance and raw performance competing demands on the same budget.
- Other publishers copy the on-demand playbook. Expect EA and Activision to explore their own opt-in, hardware-gated “on-demand” modes for Javelin and Ricochet once Windows’ driver-attestation tooling is more widely available to third parties.
- Fortnite’s IOMMU mandate spreads beyond tournaments. Having already expanded from Secure Boot and TPM to IOMMU, and from top-tier events to all tournament play, Epic’s requirements are likely to reach a wider slice of competitive matchmaking by the end of 2026.
- Cheat hardware makers target the pre-boot window again. With IOMMU now bricking existing DMA devices, expect cheat sellers to probe for the next firmware-level gap – likely producing another motherboard CVE disclosure within the next year.
- Linux and Steam Machine support stays out of reach for Riot, EA, and Activision titles. Absent a policy reversal, Valorant, Battlefield 6, and Call of Duty are likely to remain unavailable on SteamOS through 2026, leaving Easy Anti-Cheat- and BattlEye-protected titles as the practical path to Linux multiplayer gaming.
- The rootkit debate intensifies, not fades. As more kernel-level anti-cheat drivers gain always-on, boot-time privileges across a larger share of gaming PCs, expect continued scrutiny from academic researchers and the wider security community into 2027.
Frequently Asked Questions
What is Riot Vanguard?
Vanguard is the kernel-level anti-cheat software Riot Games uses to protect Valorant (since its 2020 launch) and League of Legends (mandatory since April 2024). It runs as a Windows kernel driver with Ring 0 access, the same privilege level as the operating system itself, in order to detect cheats – including hardware-based cheats – that hide from ordinary, user-mode security tools.
Did the May 2026 Vanguard update really brick players’ PCs?
No. Riot has stated explicitly that Vanguard “does not damage hardware or disable your devices.” The update corrupts the firmware on dedicated, purpose-built DMA cheat hardware – devices reportedly costing around $6,000 – not the host gaming PC. The viral “$6k paperweight” comment referred to those cheat devices specifically.
What is IOMMU and why does Valorant need it enabled?
IOMMU (Input-Output Memory Management Unit) is a chipset feature that restricts which memory a connected PCIe device can access. Riot requires it enabled because it is currently the most effective defense against direct-memory-access cheat hardware, which reads game memory over a physical connection rather than through any process software anti-cheat can inspect.
What is Vanguard On-Demand and how is it different from the old always-on mode?
Launched June 24, 2026, Vanguard On-Demand lets the kernel driver load only when a Riot game is actually running, then unload on exit – instead of loading with Windows itself and running continuously, as Vanguard has since 2020. It requires Windows 11 25H2 with Secure Boot, TPM 2.0, VBS, HVCI, and IOMMU all enabled, and is entirely optional.
What hardware and software do I need for Vanguard On-Demand?
You need Windows 11 version 25H2 and a PC with Secure Boot, TPM 2.0, Virtualization-Based Security, Hypervisor-Protected Code Integrity, and IOMMU all switched on. Roughly 35% of Vanguard’s player base already met every requirement at launch; Riot says another 62% can qualify by manually enabling settings their hardware already supports.
Is Riot Vanguard classified as a rootkit?
Not officially, but a 2024 peer-reviewed study by researchers Christoph Dorner and Lukas Daniel Klausner found that two of four major kernel-level anti-cheat systems evaluated exhibited rootkit-like behavior, in terms of the scope and transparency of their system monitoring. The paper stopped short of naming Vanguard specifically as one of the two in its public abstract, but grouped it among the four systems studied.
Can I play Valorant, Battlefield 6, or Call of Duty on Steam Deck or Linux?
No. Vanguard, EA’s Javelin, and Activision’s Ricochet are all Windows-kernel-only and do not support SteamOS or Linux, so none of these titles run on Steam Deck or Steam Machine. Titles protected by Easy Anti-Cheat or BattlEye can support Linux when the developer opts in, which is why many other multiplayer games do run on Valve’s hardware.
Why can’t I run Battlefield 6 and Valorant at the same time?
EA’s Javelin and Riot’s Vanguard both attempt to protect overlapping regions of system memory using the same low-level technique, and the two drivers conflict when active simultaneously. Battlefield 6 blocks launching while a Valorant client is running as a result.
Related Coverage
- Steam Machine Hits $1,049: 6x Steam Deck Power
- Bazzite vs SteamOS: NVIDIA & 20+ Handhelds
- SteamOS 3.8 Takes On Windows 11 on 6+ Handhelds
- Legion Go S vs Steam Deck: $599 vs $789 OLED
- EA Buyout Stalls at CFIUS: $55B, $210 a Share
- Ransomware Groups Up 49%: 8,159 Victims Hit in 2025
- npm Supply Chain Attacks: 1.2M Malicious Packages
- CVE-2026-41940: cPanel Auth Bypass Hits 1.5M Servers
- More gaming news and analysis
Reporting compiled from Riot Games’ official newsroom, CERT/CC, and coverage by BleepingComputer, TechRadar, Tom’s Hardware, Notebookcheck, Dexerto, Windows Central, PC Gamer, Trend Micro, The Register, and the ACM/arXiv research literature cited throughout.




