CVE-2026-40317 - Vulnerability Details

- NovumOS has Privilege Escalation in the Syscall Interface

Description

NovumOS is a custom 32-bit operating system written in Zig and x86 Assembly. In versions prior to 0.24, Syscall 12 (JumpToUser) accepts an arbitrary entry point address from user-space registers without validation, allowing any Ring 3 user-mode process to jump to kernel addresses and execute arbitrary code in Ring 0 context, resulting in local privilege escalation. This issue has been fixed in version 0.24. If developers are unable to immediately update, they should restrict syscall access by running the system in single-user mode without Ring 3, and disable user-mode processes by only running kernel shell with no user processes. This issue has been fixed in version 0.24.

Published: 2026-04-18

Score: 9.4 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

NovumOS, a custom 32‑bit operating system written in Zig and x86 assembly, was found to allow any user‑mode (Ring 3) process to execute code with kernel privileges by exploiting Syscall 12 (JumpToUser). The syscall accepts an arbitrary entry point address from user‑space registers without validation, enabling the attacker to redirect program flow to arbitrary kernel addresses. This results in local privilege escalation and full system compromise. The flaw is rooted in improper input validation (CWE‑20) and privileged access enforcement (CWE‑269).

Affected Systems

The affected vendor is MinecAnton209, publisher of NovumOS. Versions prior to 0.24 are vulnerable. The operating system runs on 32‑bit x86 hardware and is intended for specialized embedded or experimental deployments. Any installation that still uses the pre‑0.24 code base is exposed.

Risk and Exploitability

The CVSS score of 9.4 categorizes this flaw as critical. Because it is a local privilege escalation without network or remote code execution vectors, the EPSS score is unavailable, and the vulnerability is not yet listed in CISA’s KEV catalog. Attackers with access to a user‑level process or the ability to execute code in user mode can manually trigger Syscall 12 with a crafted entry address, thereby jumping to the kernel and achieving arbitrary code execution in Ring 0. There are no publicly documented constraints beyond the existence of a user/process in the system; the vulnerability can be exploited by any Ring 3 program that can control its registers.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

MinecAnton209

NovumOS

affected

Version	Status	Constraints
`< 0.24`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade NovumOS to version 0.24 or later to apply the vendor's fix.
If an upgrade is not immediately possible, run the system in single‑user mode to eliminate Ring 3 processes, thereby preventing the exploit.
Alternatively, disable user‑mode processes by running only the kernel shell and no user applications.
In environments where upgrading or mode changes are infeasible, restrict access to Syscall 12 by disabling or sandboxing user‑mode invocations of privileged operations.

Generated by OpenCVE AI on April 18, 2026 at 08:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0002.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/MinecAnton209/NovumOS/releases/tag/v0.24
https://github.com/MinecAnton209/NovumOS/security/advisories/GHSA-xjx3-gjh9-45fm

History

Sat, 18 Apr 2026 01:00:00 +0000

Type	Values Removed	Values Added
Description		NovumOS is a custom 32-bit operating system written in Zig and x86 Assembly. In versions prior to 0.24, Syscall 12 (JumpToUser) accepts an arbitrary entry point address from user-space registers without validation, allowing any Ring 3 user-mode process to jump to kernel addresses and execute arbitrary code in Ring 0 context, resulting in local privilege escalation. This issue has been fixed in version 0.24. If developers are unable to immediately update, they should restrict syscall access by running the system in single-user mode without Ring 3, and disable user-mode processes by only running kernel shell with no user processes. This issue has been fixed in version 0.24.
Title		NovumOS has Privilege Escalation in the Syscall Interface
Weaknesses		CWE-20 CWE-269
References		https://github.com/MinecAnton209/NovumOS/releases/tag/v0.24 https://github.com/MinecAnton209/NovumOS/security/advisories/GHSA-xjx3-gjh9-45fm
Metrics		cvssV3_1 `{'score': 9.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-18T00:12:10.368Z

Updated: 2026-04-18T00:12:10.368Z

Reserved: 2026-04-10T21:41:54.505Z

Link: CVE-2026-40317

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-18T01:16:19.380

Modified: 2026-04-18T01:16:19.380

Link: CVE-2026-40317

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T08:45:41Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object