Cyber Resilience

CVE-2026-40317

CriticalPublic PoCLPE

Published: 18 April 2026

Published
18 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 9.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0022 13.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-40317 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Minecanton209 Novumos. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 13.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and SC-2 (Separation of System and User Functionality).

Deeper analysis

CVE-2026-40317 affects NovumOS, a custom 32-bit operating system written in Zig and x86 Assembly, in versions prior to 0.24. The vulnerability resides in Syscall 12 (JumpToUser), which accepts an arbitrary entry point address from user-space registers without validation. This flaw enables any Ring 3 user-mode process to jump directly to kernel addresses, executing arbitrary code in Ring 0 kernel context and resulting in local privilege escalation. The issue is rated with a CVSS v3.1 base score of 9.3 (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) and is associated with CWE-20 (Improper Input Validation) and CWE-269 (Improper Privilege Management).

Local attackers with access to a Ring 3 user-mode process can exploit this vulnerability without privileges or user interaction. By invoking Syscall 12 with a crafted kernel address in user-space registers, they achieve arbitrary code execution in kernel mode, granting full control over the system, including complete confidentiality, integrity, and availability impacts due to the scope change to unchanged components.

The NovumOS security advisory and release notes recommend updating to version 0.24, where the issue is fixed. As a temporary mitigation, if immediate updating is not possible, operators should restrict syscall access by running the system in single-user mode without Ring 3 support and disable all user-mode processes, limiting operations to the kernel shell only. Relevant resources include the GitHub release for v0.24 and the security advisory at GHSA-xjx3-gjh9-45fm.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

NovumOS is a custom 32-bit operating system written in Zig and x86 Assembly. In versions prior to 0.24, Syscall 12 (JumpToUser) accepts an arbitrary entry point address from user-space registers without validation, allowing any Ring 3 user-mode process to jump…

more

to kernel addresses and execute arbitrary code in Ring 0 context, resulting in local privilege escalation. This issue has been fixed in version 0.24. If developers are unable to immediately update, they should restrict syscall access by running the system in single-user mode without Ring 3, and disable user-mode processes by only running kernel shell with no user processes. This issue has been fixed in version 0.24.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The vulnerability directly enables local privilege escalation (T1068) by allowing unvalidated user-mode syscall input to execute arbitrary code in kernel (Ring 0) context from Ring 3.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-40572Same product: Minecanton209 Novumos
CVE-2025-52347Shared CWE-20, CWE-269
CVE-2026-30769Shared CWE-20, CWE-269
CVE-2025-29814Shared CWE-20
CVE-2026-23896Shared CWE-269
CVE-2025-0893Shared CWE-269
CVE-2025-2858Shared CWE-269
CVE-2026-7905Shared CWE-20
CVE-2026-31368Shared CWE-269
CVE-2026-21983Shared CWE-269

Affected Assets

minecanton209
novumos
≤ 0.24

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of user-space inputs like the arbitrary entry point address in Syscall 12 to prevent jumping to unauthorized kernel addresses.

prevent

Mandates a reference monitor mechanism to mediate and validate all transitions from user-mode to kernel-mode, blocking unvalidated jumps to Ring 0.

prevent

Enforces strict separation of user-mode (Ring 3) execution domain from kernel-mode (Ring 0), mitigating syscall flaws that allow direct jumps between domains.

References