Cyber Resilience

CVE-2026-3796

MediumLPE

Published: 09 March 2026

Published
09 March 2026
Modified
10 March 2026
KEV Added
Patch
CVSS Score v4 4.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0022 11.8th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-3796 is a medium-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Qianxin Qax Internet Control Gateway. Its CVSS base score is 4.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 11.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-3796 is a vulnerability involving improper access controls in the ZwTerminateProcess function within the QKSecureIO_Imp.sys library of the Mini Filter Driver component in Qi-ANXIN QAX Virus Removal software versions up to 2025-10-22. This weakness allows manipulation that bypasses intended protections, as identified under CWEs 266 (Incorrect Privilege Assignment), 284 (Improper Access Control), and NVD-CWE-Other. The issue carries a CVSS v3.1 base score of 5.3 (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating moderate severity with local attack vector, low attack complexity, and low privileges required.

Exploitation requires local execution on the affected system, targeting users or processes with low-level privileges. A successful attack can result in limited impacts to confidentiality, integrity, and availability, such as unauthorized termination or interference with processes via the vulnerable driver function. An exploit has been publicly disclosed, hosted on GitHub under the FocusKiller repository, enabling potential attackers to replicate the manipulation.

VulDB advisories detail the vulnerability (CTI ID 349763, submission 758991) and note that the vendor, Qi-ANXIN, was contacted early but provided no response or patch. No official mitigation or update is referenced, leaving affected systems reliant on disabling the Mini Filter Driver, restricting local privileges, or monitoring for FocusKiller exploit usage until vendor action occurs.

The public availability of the FocusKiller exploit on GitHub raises concerns for immediate local privilege escalation risks in environments using the vulnerable QAX Virus Removal software.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A weakness has been identified in Qi-ANXIN QAX Virus Removal up to 2025-10-22. The affected element is the function ZwTerminateProcess in the library QKSecureIO_Imp.sys of the component Mini Filter Driver. Executing a manipulation can lead to improper access controls. The…

more

attack is restricted to local execution. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1685 Disable or Modify Tools Defense Impairment
Adversaries may disable, degrade, or tamper with security tools or applications (e.
Why these techniques?

The CVE describes a local privilege escalation exploit (FocusKiller) against an AV minifilter driver that bypasses access controls on ZwTerminateProcess, directly enabling T1068. The same process-termination capability in security software facilitates T1562.001 by allowing attackers to disable or interfere with defensive tools.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-2549Shared CWE-266, CWE-284
CVE-2025-8795Shared CWE-266, CWE-284
CVE-2026-2206Shared CWE-266, CWE-284
CVE-2024-13211Shared CWE-266, CWE-284
CVE-2026-2075Shared CWE-266, CWE-284
CVE-2024-13200Shared CWE-266, CWE-284
CVE-2026-9517Shared CWE-266, CWE-284
CVE-2025-2121Shared CWE-266, CWE-284
CVE-2025-0802Shared CWE-266, CWE-284
CVE-2026-5141Shared CWE-266, CWE-284

Affected Assets

qianxin
qax internet control gateway
≤ 2025-10-22

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces access restrictions on the ZwTerminateProcess call in the vulnerable Mini Filter Driver to block unauthorized local manipulation.

prevent

Limits privileges assigned to processes interacting with QKSecureIO_Imp.sys, mitigating the incorrect privilege assignment (CWE-266) that enables the exploit.

prevent

Restricts or disables the vulnerable Mini Filter Driver functionality until a patch is available, reducing the attack surface for the public FocusKiller exploit.

References