Skip to main content

GameFirst Anti-Cheat CVE-2026-12168

| EUVDEUVD-2026-41378 HIGH
2026-07-02 certcc GHSA-vh4v-p8g7-pj9w
7.8
CVSS 3.1 · Vendor: certcc
Share

Severity by source

Vendor (certcc) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local vector and no UI since a low-privileged user sends IOCTLs to the kernel port (AV:L/PR:L/UI:N); kernel code execution yields full C/I/A high with unchanged scope.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (certcc).

CVSS VectorVendor: certcc

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jul 02, 2026 - 18:22 vuln.today
CVSS changed
Jul 02, 2026 - 18:22 NVD
7.8 (HIGH)
CVE Published
Jul 02, 2026 - 14:36 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

An improper validation vulnerability for driver GFAC_Sys_x64.sys in Little Orbit GFAC allows a local attacker to escalate privileges to SYSTEM and execute arbitrary code in kernel mode via crafted messages sent through a Minifilter communication port.

AnalysisAI

Local privilege escalation in Little Orbit's GameFirst Anti-Cheat (GFAC) lets a low-privileged user reach SYSTEM and run arbitrary code in kernel mode by sending crafted messages to the GFAC_Sys_x64.sys minifilter communication port. All GameFirst Anti-Cheat builds up to and including the 2025-07-07 release are affected, and a public GitHub repository covering this CVE alongside two sibling flaws indicates exploit material is available. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain low-privileged local access
Delivery
Open handle to GFAC minifilter communication port
Exploit
Send crafted malformed message
Execution
Trigger improper validation in GFAC_Sys_x64.sys
Persist
Corrupt kernel memory / execute in kernel mode
Impact
Escalate to SYSTEM

Vulnerability AssessmentAI

Exploitation Requires local access with at least a low-privileged user account on a Windows host that has Little Orbit GameFirst Anti-Cheat installed and its GFAC_Sys_x64.sys driver loaded - the attacker must be able to open and send messages to the driver's minifilter communication port. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) accurately frames this as a high-severity local escalation, not a remote entry point: an attacker must already have code execution as a low-privileged local user, but from there exploitation is low-complexity, requires no user interaction, and yields full confidentiality, integrity, and availability impact by reaching SYSTEM/kernel. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has gained low-privileged code execution on a gaming workstation - for example via a malicious mod, phishing payload, or a compromised standard user account - opens a handle to the GFAC minifilter communication port and sends a crafted, malformed message that the driver fails to validate. The resulting kernel-mode memory corruption is leveraged to execute attacker-controlled code as SYSTEM, completing a full local privilege escalation; a public repository referencing this CVE increases the likelihood that working exploit code is available.
Remediation No vendor-released patched version number is identified in the available data; the EUVD record only bounds the vulnerable range as ≤2025-07-07, implying a later fixed build exists but without a confirmed version. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and document all systems running GFAC versions through 2025-07-07, prioritizing those with internet access or sensitive data. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12168 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy