CVE-2026-3609

HIGH

XIGNCODE3 xhunter1.sys kernel driver contains a Privilege Escalation Vulnerability

Title source: cna

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-3609. PoCs published by BlackSnufkin.

AI-analyzed exploit summary This repository contains functional exploit code for CVE-2026-3609, demonstrating a BYOVD (Bring Your Own Vulnerable Driver) attack to terminate protected processes by leveraging vulnerable kernel drivers. The code includes a shared library for driver management and multiple driver-specific implementations.

Description

Wellbia's XIGNCODE3 xhunter1.sys kernel driver Privilege Escalation Vulnerability provides access to IRP_MJ_REITS command interface, which allows any user process to request a PROCESS_ALL_ACCESS. Cross reference to KVE 2023-5589 (https://krcert.or.kr)

Exploits (2)

nomisec WORKING POC 766 stars

by BlackSnufkin · poc

https://github.com/BlackSnufkin/BYOVD

View Code ZIP pw:eip

This repository contains functional exploit code for CVE-2026-3609, demonstrating a BYOVD (Bring Your Own Vulnerable Driver) attack to terminate protected processes by leveraging vulnerable kernel drivers. The code includes a shared library for driver management and multiple driver-specific implementations.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Various kernel drivers (e.g., BdApiUtil64, CcProtect, K7RKScan)

Auth required

Prerequisites: Administrative privileges · Vulnerable driver files

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed May 28, 2026 Full analysis →

github WORKING POC 3 stars

by BlackSnufkin · rustpoc

https://github.com/BlackSnufkin/CredsHunter

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-3609, which leverages a PPL-bypassing process-handle leak in Wellbia's XIGNCODE3 anti-cheat driver (`xhunter1.sys`) to dump LSASS credentials. The exploit uses `ObOpenObjectByPointer` with `AccessMode = KernelMode` to obtain a `PROCESS_ALL_ACCESS` handle, enabling credential extraction via standard techniques.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Wellbia XIGNCODE3 anti-cheat driver (xhunter1.sys version 10.0.10011.16384)

No auth needed

Prerequisites: Vulnerable driver loaded as a kernel service · Access to the target system

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed May 12, 2026 Full analysis →

References (2)

Core 2

Core References

https://crcert.or.kr

https://blacksnufkin.github.io/posts/AntiCheat-LPE-CVE-2026-3609/

Scores

CVSS v3 7.8

EPSS 0.0001

EPSS Percentile 0.5%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

Status published

Products (2)

wellbia/xigncode3 10.0.10011.16384

Wellbia/XIGNCODE3 Anti-Cheat 10.0.10011.16384

Published May 11, 2026

Tracked Since May 11, 2026