CVE-2026-3609 - Vulnerability Details

- XIGNCODE3 xhunter1.sys kernel driver contains a Privilege Escalation Vulnerability

Description

Wellbia's XIGNCODE3 xhunter1.sys kernel driver Privilege Escalation Vulnerability provides access to IRP_MJ_REITS command interface, which allows any user process to request a PROCESS_ALL_ACCESS.
Cross reference to KVE 2023-5589 (https://krcert.or.kr)

Published: 2026-05-11

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw resides in Wellbia's XIGNCODE3 kernel driver, xhunter1.sys, which exposes the IRP_MJ_REITS control code to any user‑space process. By invoking this interface, an attacker can request PROCESS_ALL_ACCESS, a classic access‑control weakness. If granted, the process gains full kernel privileges, allowing the attacker to escape normal user isolation and perform privileged kernel operations. No additional compromises are required.

Affected Systems

The affected product is Wellbia XIGNCODE3 Anti‑Cheat. No specific version range is supplied by the CNA, so every build that includes the vulnerable xhunter1.sys driver is potentially at risk. The provided CPE points to build 10.0.10011.16384, but the lack of explicit version constraints implies earlier releases may also contain the flaw.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, while the EPSS score is below 1 %, reflecting a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. The attack vector inferred from the description is local: a user process can send the IRP to the driver, triggering privilege escalation. No remote exploitation path is described.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Wellbia

XIGNCODE3 Anti-Cheat

affected

Version	Status	Constraints
`10.0.10011.16384`	affected	—

Configuration 1 [-]

cpe:2.3:a:wellbia:xigncode3:10.0.10011.16384:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Wellbia

Xigncode3 Anti-cheat

100%

Version	Status	Scheme	Platform
`10.0.10011.16384`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Wellbia XIGNCODE3 to the latest version once a vendor patch that removes the exposed IRP_MJ_REITS interface is released.
If no patch is available, uninstall or disable the xhunter1.sys kernel driver to eliminate the vulnerable entry point.
Enforce driver signing and restrict loading of unsigned or blocked drivers to prevent reinstallation of the vulnerable module.
Modify the driver’s access‑control logic to ensure that only system‑privileged processes can issue IRP_MJ_REITS commands.

Generated by OpenCVE AI on May 13, 2026 at 19:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00006.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://blacksnufkin.github.io/posts/AntiCheat-LPE-CVE-2026-3609/
https://crcert.or.kr

History

Wed, 13 May 2026 18:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-284 CWE-732

Wed, 13 May 2026 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wellbia xigncode3
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:a:wellbia:xigncode3:10.0.10011.16384:::::::*
Vendors & Products		Wellbia xigncode3

Wed, 13 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 12 May 2026 10:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wellbia Wellbia xigncode3 Anti-cheat
Vendors & Products		Wellbia Wellbia xigncode3 Anti-cheat

Mon, 11 May 2026 19:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-284 CWE-732

Mon, 11 May 2026 17:30:00 +0000

Type	Values Removed	Values Added
Description		Wellbia's XIGNCODE3 xhunter1.sys kernel driver Privilege Escalation Vulnerability provides access to IRP_MJ_REITS command interface, which allows any user process to request a PROCESS_ALL_ACCESS. Cross reference to KVE 2023-5589 (https://krcert.or.kr)
Title		XIGNCODE3 xhunter1.sys kernel driver contains a Privilege Escalation Vulnerability
References		https://blacksnufkin.github.io/posts/AntiCheat-LPE-CVE-2026-3609/ https://crcert.or.kr

Subscriptions

Wellbia Xigncode3 Xigncode3 Anti-cheat

MITRE

Status: PUBLISHED

Assigner: certcc

Published: 2026-05-11T16:25:24.769Z

Updated: 2026-05-13T12:35:57.998Z

Reserved: 2026-03-05T17:54:52.283Z

Link: CVE-2026-3609

Vulnrichment

Updated: 2026-05-13T12:35:08.489Z

NVD

Status : Modified

Published: 2026-05-11T18:16:33.560

Modified: 2026-05-13T14:17:35.900

Link: CVE-2026-3609

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-13T20:00:04Z

Weaknesses

NVD-CWE-noinfo

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object