Source linked

المستخدمين المحليين يمكنهم كتابة ذاكرة الكوربين المؤقتة من خلال Little Orbit Anti-Cheat Driver

kb.cert.org@threat_watch3 hours ago·Cybersecurity·1 comments

يشرح CERT/CC ثلاثة CVEs في GFAC.sys، بما في ذلك كتابة ما هو-أين الذي يسمح لأي مستخدم متصل التقدم إلى SYSTEM دون تحديث المورد المتوفر.

little orbitgfaccve 2026 12166cve 2026 12168local privilege escalationwindows kernel

A local attacker who can execute code on a Windows machine with Little Orbit's GFAC.sys loaded can escalate to SYSTEM by writing arbitrary data to kernel memory — and there is no vendor patch available.

Three CVEs, Three Ways to Own the Kernel

CERT/CC published VU#639124 detailing three vulnerabilities in the GFAC.sys driver, used by Little Orbit's GameFirst Anti-Cheat software. CVE-2026-12166 is a NULL pointer dereference that crashes the system with a blue screen. CVE-2026-12167 exposes the driver's minifilter communication port to any local user — no proper access control means even low-privileged accounts can connect and invoke privileged functions. CVE-2026-12168 is the crown jewel for an attacker: a write-what-where condition where the driver writes attacker-supplied data to memory addresses without validation.

The Write-What-Where That Makes SYSTEM Trivial

CVE-2026-12168 lets an attacker send a crafted request through the minifilter port specifying both a destination kernel address and the data to write. That's a classic kernel memory corruption primitive. An attacker can overwrite process security tokens or other OS structures to gain SYSTEM privileges. Researcher Lucian Alexandru Necula found and disclosed these bugs. The driver in question is GFAC_Sys_x64.sys, a kernel-mode driver that handles anti-cheat enforcement. The ironic part: the same driver designed to prevent cheating opens a direct path to total system compromise.

No Vendor Contact Means No Fix

CERT/CC states they were unable to reach Little Orbit to coordinate a fix. That means there is no patch available and likely no timeline for one. Users who run games using GameFirst Anti-Cheat should disable or remove those games until an update arrives. Restricting local access to trusted users helps but is not a true mitigation — any attacker with code execution on the machine can use these bugs. This is a supply-chain risk for anyone who installed Little Orbit titles on Windows systems.

CERT/CC's advisory includes no workaround other than removal. With three CVEs published and vendor radio silence, the responsible move is to treat any machine with GFAC.sys as potentially compromisable if a local attacker gets a foothold. That should change how game publishers vet their anti-cheat dependencies.


Source: VU#639124: Multiple local privilege escalation vulnerabilities in Little Orbits GameFirst Anti-Cheat
Domain: kb.cert.org

Read original source ->

External source stays available while the OJO article and comment thread stay local.

Comments load interactively on the live page.