CVE-2026-40572
Published: 18 April 2026
Summary
CVE-2026-40572 is a critical-severity Improper Privilege Management (CWE-269) vulnerability in Minecanton209 Novumos. Its CVSS base score is 9.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-39 (Process Isolation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-16 mandates memory protection controls that prevent user-mode processes from mapping or accessing unauthorized kernel memory regions such as IDT, GDT, TSS, and page tables.
SC-39 enforces process isolation to maintain distinct execution domains between user-mode Ring 3 processes and kernel space, blocking unauthorized memory mappings into kernel structures.
AC-3 requires enforcement of access controls in syscalls like MemoryMapRange to validate and restrict mappings against forbidden kernel regions, preventing privilege escalation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability in the MemoryMapRange syscall allows unprivileged user-mode processes to map and modify kernel memory regions (e.g., IDT), directly enabling exploitation for privilege escalation from Ring 3 to kernel context.
NVD Description
NovumOS is a custom 32-bit operating system written in Zig and x86 Assembly. In versions prior to 0.24, Syscall 15 (MemoryMapRange) allows Ring 3 user-mode processes to map arbitrary virtual address ranges into their address space without validating against forbidden…
more
regions, including critical kernel structures such as the IDT, GDT, TSS, and page tables. A local attacker can exploit this to modify kernel interrupt handlers, resulting in privilege escalation from user mode to kernel context. This issue has been fixed in version 0.24.
Deeper analysisAI
CVE-2026-40572 affects NovumOS, a custom 32-bit operating system written in Zig and x86 Assembly, in versions prior to 0.24. The vulnerability resides in Syscall 15 (MemoryMapRange), which permits Ring 3 user-mode processes to map arbitrary virtual address ranges into their address space without validation against forbidden regions. This includes critical kernel structures such as the IDT, GDT, TSS, and page tables, enabling improper memory access that violates privilege boundaries. The issue is classified under CWE-269 (Improper Privilege Management) with a CVSS v3.1 base score of 9.0 (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N).
A local attacker with access to a user-mode process can exploit this flaw with low complexity and no privileges required. By invoking the vulnerable syscall, the attacker maps and modifies kernel memory regions, such as altering interrupt handlers in the IDT. This leads to privilege escalation from Ring 3 user mode to kernel context, granting full control over the system.
The vulnerability has been addressed in NovumOS version 0.24, as detailed in the project's release notes and security advisory. Security practitioners running affected versions should upgrade to v0.24 or later to mitigate the risk, with further technical details available in the GitHub advisory (GHSA-rg7m-6vh7-f4v2) and release page.
Details
- CWE(s)