CVE-2026-3796

MEDIUM

Qi-ANXIN QAX Virus Removal - Privilege Escalation

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-3796. PoCs published by cwjchoi01.

AI-analyzed exploit summary This repository contains a functional exploit PoC for CVE-2026-3796, which leverages a vulnerable driver to terminate arbitrary processes by sending a crafted message to a filter port. The exploit loads a malicious driver, connects to a communication port, and sends a structured payload to kill a target process specified via an environment variable.

Description

A weakness has been identified in Qi-ANXIN QAX Virus Removal up to 2025-10-22. The affected element is the function ZwTerminateProcess in the library QKSecureIO_Imp.sys of the component Mini Filter Driver. Executing a manipulation can lead to improper access controls. The attack is restricted to local execution. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Exploits (1)

nomisec WORKING POC

by cwjchoi01 · poc

https://github.com/cwjchoi01/CVE-2026-3796

View Code ZIP pw:eip

This repository contains a functional exploit PoC for CVE-2026-3796, which leverages a vulnerable driver to terminate arbitrary processes by sending a crafted message to a filter port. The exploit loads a malicious driver, connects to a communication port, and sends a structured payload to kill a target process specified via an environment variable.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Windows Kernel (specific driver: QKSecureIO_Imp.sys)

Auth required

Prerequisites: Administrative privileges to load a driver · Presence of vulnerable driver or ability to load a malicious driver · Target process PID

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed Mar 16, 2026 Full analysis →

References (5)

Core 5

Core References

Permissions Required, VDB Entry vdb-entry technical-description

https://vuldb.com/?id.349763

Permissions Required, VDB Entry signature permissions-required

https://vuldb.com/?ctiid.349763

Permissions Required, VDB Entry third-party-advisory

https://vuldb.com/?submit.758991

Various Sources related

https://github.com/cwjchoi01/FocusKiller

View Writeup ZIP pw:eip

Third Party Advisory exploit

https://github.com/cwjchoi01/FocusKiller/tree/main/FocusKiller

Scores

CVSS v3 5.3

EPSS 0.0022

EPSS Percentile 11.8%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-266 CWE-284

Status published

Products (1)

qianxin/qax_internet_control_gateway < 2025-10-22

Published Mar 09, 2026

Tracked Since Mar 09, 2026