CVE-2026-3796
Published: 09 March 2026
Summary
CVE-2026-3796 is a medium-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Qianxin Qax Internet Control Gateway. Its CVSS base score is 4.8 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 11.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-3796 is a vulnerability involving improper access controls in the ZwTerminateProcess function within the QKSecureIO_Imp.sys library of the Mini Filter Driver component in Qi-ANXIN QAX Virus Removal software versions up to 2025-10-22. This weakness allows manipulation that bypasses intended protections, as identified under CWEs 266 (Incorrect Privilege Assignment), 284 (Improper Access Control), and NVD-CWE-Other. The issue carries a CVSS v3.1 base score of 5.3 (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating moderate severity with local attack vector, low attack complexity, and low privileges required.
Exploitation requires local execution on the affected system, targeting users or processes with low-level privileges. A successful attack can result in limited impacts to confidentiality, integrity, and availability, such as unauthorized termination or interference with processes via the vulnerable driver function. An exploit has been publicly disclosed, hosted on GitHub under the FocusKiller repository, enabling potential attackers to replicate the manipulation.
VulDB advisories detail the vulnerability (CTI ID 349763, submission 758991) and note that the vendor, Qi-ANXIN, was contacted early but provided no response or patch. No official mitigation or update is referenced, leaving affected systems reliant on disabling the Mini Filter Driver, restricting local privileges, or monitoring for FocusKiller exploit usage until vendor action occurs.
The public availability of the FocusKiller exploit on GitHub raises concerns for immediate local privilege escalation risks in environments using the vulnerable QAX Virus Removal software.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10288
Vulnerability details
A weakness has been identified in Qi-ANXIN QAX Virus Removal up to 2025-10-22. The affected element is the function ZwTerminateProcess in the library QKSecureIO_Imp.sys of the component Mini Filter Driver. Executing a manipulation can lead to improper access controls. The…
more
attack is restricted to local execution. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a local privilege escalation exploit (FocusKiller) against an AV minifilter driver that bypasses access controls on ZwTerminateProcess, directly enabling T1068. The same process-termination capability in security software facilitates T1562.001 by allowing attackers to disable or interfere with defensive tools.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces access restrictions on the ZwTerminateProcess call in the vulnerable Mini Filter Driver to block unauthorized local manipulation.
Limits privileges assigned to processes interacting with QKSecureIO_Imp.sys, mitigating the incorrect privilege assignment (CWE-266) that enables the exploit.
Restricts or disables the vulnerable Mini Filter Driver functionality until a patch is available, reducing the attack surface for the public FocusKiller exploit.