CVE-2026-3796 Overview
A vulnerability has been identified in Qi-ANXIN QAX Virus Removal software up to version 2025-10-22. The affected element is the function ZwTerminateProcess within the QKSecureIO_Imp.sys library, which is part of the Mini Filter Driver component. Exploitation of this vulnerability can lead to improper access controls, potentially allowing a local attacker to manipulate process termination behavior in an unauthorized manner.
Critical Impact
Local attackers with low privileges can exploit improper access controls in the Mini Filter Driver to manipulate system processes, potentially bypassing security protections provided by the antivirus software.
Affected Products
- Qi-ANXIN QAX Virus Removal (versions up to 2025-10-22)
- Qianxin QAX Internet Control Gateway
- Systems running QKSecureIO_Imp.sys Mini Filter Driver
Discovery Timeline
- 2026-03-09 - CVE-2026-3796 published to NVD
- 2026-03-10 - Last updated in NVD database
Technical Details for CVE-2026-3796
Vulnerability Analysis
This vulnerability resides in the Mini Filter Driver component of Qi-ANXIN QAX Virus Removal software, specifically within the QKSecureIO_Imp.sys system driver. The ZwTerminateProcess function, which is a kernel-level function responsible for terminating processes, is improperly exposed or controlled within this driver.
Mini Filter Drivers operate at the kernel level and intercept I/O requests to file systems, making them critical components for security software. When access controls are improperly implemented in such drivers, local attackers can potentially manipulate the driver's behavior to terminate protected processes or bypass security mechanisms that the antivirus software is meant to enforce.
The vulnerability is classified under CWE-266 (Incorrect Privilege Assignment), indicating that the driver fails to properly validate privileges before allowing process termination operations.
Root Cause
The root cause of this vulnerability stems from incorrect privilege assignment (CWE-266) in the QKSecureIO_Imp.sys Mini Filter Driver. The driver's implementation of the ZwTerminateProcess function does not properly validate whether the requesting process has sufficient privileges to terminate target processes. This allows local users with low privileges to invoke the function and potentially terminate processes that should be protected by the security software.
Attack Vector
The attack requires local access to the system where QAX Virus Removal is installed. An attacker with low-level privileges can interact with the vulnerable Mini Filter Driver to exploit the improper access control mechanism. The attack complexity is low, requiring no user interaction, making it relatively straightforward for a local attacker to exploit.
A proof-of-concept has been publicly released and is available through the FocusKiller GitHub repository. The vendor was contacted about this vulnerability but did not respond, leaving affected systems potentially unpatched.
Detection Methods for CVE-2026-3796
Indicators of Compromise
- Unexpected process terminations, particularly security-related processes
- Unusual interactions with QKSecureIO_Imp.sys driver from non-privileged processes
- System event logs showing abnormal driver communication patterns
- Security software components being terminated without administrative action
Detection Strategies
- Monitor for processes making calls to the QKSecureIO_Imp.sys driver that don't typically interact with kernel drivers
- Implement Windows Event Log monitoring for unexpected process termination events
- Deploy endpoint detection rules to identify unauthorized privilege escalation attempts targeting Mini Filter Drivers
- Use driver monitoring tools to detect suspicious IOCTL calls to the vulnerable driver
Monitoring Recommendations
- Enable enhanced Windows audit logging for process creation and termination events
- Monitor for the presence of known exploitation tools such as FocusKiller on endpoints
- Implement behavioral analysis to detect attempts to terminate antivirus processes
- Review system logs for patterns consistent with privilege abuse in kernel drivers
How to Mitigate CVE-2026-3796
Immediate Actions Required
- Restrict local user access to systems running affected versions of QAX Virus Removal
- Implement application whitelisting to prevent execution of known exploitation tools
- Apply the principle of least privilege to limit which users can interact with system drivers
- Consider temporarily removing or disabling the affected software if a patch is not available
Patch Information
At the time of publication, the vendor (Qi-ANXIN) has not responded to disclosure attempts and no official patch is available. Organizations should monitor the VulDB entry and vendor announcements for patch availability. Until a patch is released, implementing compensating controls is strongly recommended.
Workarounds
- Restrict physical and remote access to systems running the vulnerable software to trusted administrators only
- Deploy additional endpoint protection solutions to monitor for exploitation attempts
- Implement network segmentation to limit the impact if a system is compromised
- Consider using alternative antivirus software until the vendor addresses this vulnerability
# Configuration example - Restrict driver access via Windows Security Policy
# Note: This is a compensating control, not a complete fix
# Audit driver interactions (PowerShell)
# Enable process creation auditing
auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable
# Monitor for suspicious driver access
# Add to Windows Event Forwarding rules or SIEM
# Event ID 4688 - Process creation with command line logging
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
