EIP-2026-117381

PRE-CVE

Kingsoft Antivirus/Internet Security 9+ - Local Privilege Escalation

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-117381. PoCs published by mr_me.

AI-analyzed exploit summary This is a functional privilege escalation exploit for Kingsoft Antivirus/Internet Security 9+ (KWatch3.sys driver) that leverages a kernel stack buffer overflow via IOCTL 0x80030004 or 0x80030008. The exploit includes shellcode to bypass SMEP and escalate privileges to SYSTEM by manipulating the token of the current process.

Description

Kingsoft Antivirus/Internet Security 9+ - Local Privilege Escalation

Exploits (1)

exploitdb WORKING POC VERIFIED

by mr_me · pythonlocalwindows

https://www.exploit-db.com/exploits/43421

View Code ZIP pw:eip

This is a functional privilege escalation exploit for Kingsoft Antivirus/Internet Security 9+ (KWatch3.sys driver) that leverages a kernel stack buffer overflow via IOCTL 0x80030004 or 0x80030008. The exploit includes shellcode to bypass SMEP and escalate privileges to SYSTEM by manipulating the token of the current process.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Kingsoft Antivirus/Internet Security 9+ (KWatch3.sys driver)

No auth needed

Prerequisites: Local access to the target system · Vulnerable Kingsoft Antivirus/Internet Security 9+ installation

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1055 - Process Injection

devstral-2 · analyzed Feb 19, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026