CVE-2026-3796
Published: 09 March 2026
Summary
CVE-2026-3796 is a medium-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Qianxin Qax Internet Control Gateway. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
The access control policy and procedures directly mandate and enforce proper access control mechanisms across the organization.
Supervision and review of access control activities directly detects and remediates improper access configurations or usages.
Defining account types, requiring approvals for creation, specifying authorizations, monitoring usage, and reviewing accounts directly prevents improper access control by ensuring only authorized accounts exist and are used.
The control requires explicit definition of separated access authorizations, making incorrect privilege assignments that bundle conflicting duties harder to implement.
Ensures privileges are assigned only as necessary rather than incorrectly over-granted.
Device lock enforces restricted access until re-authentication, directly reducing unauthorized use of active sessions.
Explicitly identifying and documenting actions permitted without identification or authentication enforces proper access control boundaries by defining justified exceptions.
By automatically labeling outputs with security attributes, the control supports attribute-based enforcement and reduces exploitability of improper access control weaknesses.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a local privilege escalation exploit (FocusKiller) against an AV minifilter driver that bypasses access controls on ZwTerminateProcess, directly enabling T1068. The same process-termination capability in security software facilitates T1562.001 by allowing attackers to disable or interfere with defensive tools.
NVD Description
A weakness has been identified in Qi-ANXIN QAX Virus Removal up to 2025-10-22. The affected element is the function ZwTerminateProcess in the library QKSecureIO_Imp.sys of the component Mini Filter Driver. Executing a manipulation can lead to improper access controls. The…
more
attack is restricted to local execution. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2026-3796 is a vulnerability involving improper access controls in the ZwTerminateProcess function within the QKSecureIO_Imp.sys library of the Mini Filter Driver component in Qi-ANXIN QAX Virus Removal software versions up to 2025-10-22. This weakness allows manipulation that bypasses intended protections, as identified under CWEs 266 (Incorrect Privilege Assignment), 284 (Improper Access Control), and NVD-CWE-Other. The issue carries a CVSS v3.1 base score of 5.3 (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating moderate severity with local attack vector, low attack complexity, and low privileges required.
Exploitation requires local execution on the affected system, targeting users or processes with low-level privileges. A successful attack can result in limited impacts to confidentiality, integrity, and availability, such as unauthorized termination or interference with processes via the vulnerable driver function. An exploit has been publicly disclosed, hosted on GitHub under the FocusKiller repository, enabling potential attackers to replicate the manipulation.
VulDB advisories detail the vulnerability (CTI ID 349763, submission 758991) and note that the vendor, Qi-ANXIN, was contacted early but provided no response or patch. No official mitigation or update is referenced, leaving affected systems reliant on disabling the Mini Filter Driver, restricting local privileges, or monitoring for FocusKiller exploit usage until vendor action occurs.
The public availability of the FocusKiller exploit on GitHub raises concerns for immediate local privilege escalation risks in environments using the vulnerable QAX Virus Removal software.
Details
- CWE(s)