CVE-2026-3609 Overview
CVE-2026-3609 is a local privilege escalation vulnerability in Wellbia's XIGNCODE3 anti-cheat kernel driver xhunter1.sys. The driver exposes an IRP_MJ_DEVICE_CONTROL interface that accepts an IRP_MJ_REITS command without enforcing access controls. Any low-privileged user process can invoke this interface and request PROCESS_ALL_ACCESS handles to arbitrary processes, including those running as SYSTEM. This vulnerability cross-references Korea CERT advisory KVE-2023-5589 and affects XIGNCODE3 version 10.0.10011.16384. The flaw allows attackers with local access to escalate to kernel-level process control.
Critical Impact
A local attacker can obtain PROCESS_ALL_ACCESS to any process on the system, enabling code injection into SYSTEM processes and full host compromise.
Affected Products
- Wellbia XIGNCODE3 10.0.10011.16384
- xhunter1.sys kernel driver
- Games and applications bundling the vulnerable driver
Discovery Timeline
- 2026-05-11 - CVE-2026-3609 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-3609
Vulnerability Analysis
The xhunter1.sys driver is a kernel-mode anti-cheat component distributed by Wellbia as part of the XIGNCODE3 product. The driver registers a device object that user-mode processes can open and send I/O Control (IOCTL) requests to via DeviceIoControl. One of the supported major function dispatch routines handles an IRP_MJ_REITS command, which internally calls ObOpenObjectByPointer or an equivalent routine to produce a handle to a target process specified by the caller.
The dispatch routine does not validate the caller's privileges or restrict which processes can be targeted. As a result, a process running under a standard user token can request and receive a handle with PROCESS_ALL_ACCESS rights to any process, including lsass.exe, winlogon.exe, or other SYSTEM-owned processes. With such a handle, the attacker can allocate memory, write shellcode, and create threads in the target process.
Root Cause
The root cause is missing access control in the driver's IOCTL handler. The driver trusts the user-mode caller to supply a valid target process identifier and grants kernel-mediated handles without checking the caller's integrity level, token privileges, or the relationship between caller and target. The driver also accepts the request from non-administrative callers, violating the principle of least privilege expected of kernel components.
Attack Vector
Exploitation requires local code execution as a standard user on a system where xhunter1.sys is loaded. The attacker opens a handle to the driver's device object, then issues a crafted IOCTL invoking the IRP_MJ_REITS command with a target process identifier. The driver returns a handle with full access rights, which the attacker uses to inject code into a SYSTEM process and execute it with elevated privileges. No user interaction or network access is required. Technical reproduction details are documented in the public PoC writeup for CVE-2026-3609.
Detection Methods for CVE-2026-3609
Indicators of Compromise
- Presence of xhunter1.sys loaded on systems that do not require the associated anti-cheat protected applications.
- User-mode processes opening handles to the \\.\XhunterDrv or similar device object outside of the legitimate game launcher context.
- Unexpected PROCESS_ALL_ACCESS handles to SYSTEM processes originating from low-integrity processes.
- Remote thread creation or memory writes targeting lsass.exe, winlogon.exe, or services.exe from non-administrative parent processes.
Detection Strategies
- Monitor kernel driver load events (Event ID 6) for xhunter1.sys and correlate with the parent application.
- Audit DeviceIoControl calls to anti-cheat device objects from non-game processes using EDR telemetry.
- Track cross-process handle duplication and injection patterns where the source process runs at medium integrity and the target is SYSTEM.
Monitoring Recommendations
- Enable Microsoft-Windows-Kernel-Process and Sysmon Event ID 10 logging to capture ProcessAccess events with granted access masks.
- Alert on PROCESS_VM_WRITE and PROCESS_CREATE_THREAD access requests targeting protected SYSTEM processes.
- Maintain an inventory of endpoints where XIGNCODE3 is installed and treat them as elevated-risk hosts until patched.
How to Mitigate CVE-2026-3609
Immediate Actions Required
- Uninstall XIGNCODE3 or the associated application on systems that do not actively require it.
- Block loading of xhunter1.sys version 10.0.10011.16384 using Microsoft's vulnerable driver blocklist or Windows Defender Application Control (WDAC) policies.
- Restrict local logon and limit standard user code execution on systems where the driver must remain loaded.
Patch Information
No vendor advisory URL is listed in the CVE record at publication time. Administrators should monitor Wellbia for an updated XIGNCODE3 release that supersedes version 10.0.10011.16384 and reference the Korea CERT cross-reference KVE-2023-5589 for additional vendor coordination details.
Workarounds
- Add xhunter1.sys to the Microsoft Vulnerable Driver Blocklist and enable the blocklist via Windows Security or WDAC.
- Remove the driver service entry and delete the driver binary on hosts that no longer run the protected application.
- Apply application control policies to prevent unsigned or unapproved user processes from issuing IOCTLs to anti-cheat drivers.
# Query and remove the xhunter1 driver service on Windows
sc.exe query xhunter1
sc.exe stop xhunter1
sc.exe delete xhunter1
# Verify the driver file is no longer present
dir %SystemRoot%\System32\drivers\xhunter1.sys
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
