A local attacker who can execute code on a Windows machine with Little Orbit's GFAC.sys loaded can escalate to SYSTEM by writing arbitrary data to kernel memory — and there is no vendor patch available.
Three CVEs, Three Ways to Own the Kernel
CERT/CC published VU#639124 detailing three vulnerabilities in the GFAC.sys driver, used by Little Orbit's GameFirst Anti-Cheat software. CVE-2026-12166 is a NULL pointer dereference that crashes the system with a blue screen. CVE-2026-12167 exposes the driver's minifilter communication port to any local user — no proper access control means even low-privileged accounts can connect and invoke privileged functions. CVE-2026-12168 is the crown jewel for an attacker: a write-what-where condition where the driver writes attacker-supplied data to memory addresses without validation.
The Write-What-Where That Makes SYSTEM Trivial
CVE-2026-12168 lets an attacker send a crafted request through the minifilter port specifying both a destination kernel address and the data to write. That's a classic kernel memory corruption primitive. An attacker can overwrite process security tokens or other OS structures to gain SYSTEM privileges. Researcher Lucian Alexandru Necula found and disclosed these bugs. The driver in question is GFAC_Sys_x64.sys, a kernel-mode driver that handles anti-cheat enforcement. The ironic part: the same driver designed to prevent cheating opens a direct path to total system compromise.
No Vendor Contact Means No Fix
CERT/CC states they were unable to reach Little Orbit to coordinate a fix. That means there is no patch available and likely no timeline for one. Users who run games using GameFirst Anti-Cheat should disable or remove those games until an update arrives. Restricting local access to trusted users helps but is not a true mitigation — any attacker with code execution on the machine can use these bugs. This is a supply-chain risk for anyone who installed Little Orbit titles on Windows systems.
CERT/CC's advisory includes no workaround other than removal. With three CVEs published and vendor radio silence, the responsible move is to treat any machine with GFAC.sys as potentially compromisable if a local attacker gets a foothold. That should change how game publishers vet their anti-cheat dependencies.
Source: VU#639124: Multiple local privilege escalation vulnerabilities in Little Orbits GameFirst Anti-Cheat
Domain: kb.cert.org
Comments load interactively on the live page.