Severity by source
AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
10DescriptionGitHub Advisory
NovumOS is a custom 32-bit operating system written in Zig and x86 Assembly. In versions prior to 0.24, Syscall 12 (JumpToUser) accepts an arbitrary entry point address from user-space registers without validation, allowing any Ring 3 user-mode process to jump to kernel addresses and execute arbitrary code in Ring 0 context, resulting in local privilege escalation. This issue has been fixed in version 0.24. If developers are unable to immediately update, they should restrict syscall access by running the system in single-user mode without Ring 3, and disable user-mode processes by only running kernel shell with no user processes. This issue has been fixed in version 0.24.
AnalysisAI
Syscall 12 (JumpToUser) in NovumOS versions prior to 0.24 executes arbitrary kernel code at Ring 0 privilege when invoked by unprivileged Ring 3 user-mode processes. The vulnerability stems from missing address validation on user-supplied entry points, enabling local privilege escalation from user mode to kernel mode with complete system control. CISA SSVC framework confirms publicly available exploit code (POC status) with total technical impact, though EPSS score remains low at 0.02% (5th percentile), suggesting limited real-world targeting of this niche custom operating system despite the severe technical flaw.
Technical ContextAI
NovumOS is a custom 32-bit operating system implemented in Zig and x86 Assembly, employing x86 privilege ring architecture where Ring 0 represents kernel mode with unrestricted hardware access and Ring 3 represents user mode with limited privileges. The vulnerability resides in Syscall 12 (JumpToUser), a system call interface that transitions execution context between privilege levels. The root cause is improper privilege management (CWE-269) - specifically, the syscall accepts an arbitrary memory address from user-space CPU registers (likely EIP/instruction pointer) and performs an unconditional jump without validating whether the target address resides in kernel memory space. In x86 protected mode, kernel addresses typically occupy high memory regions (0xC0000000+ in many designs), while user-space is confined to lower addresses. By passing a kernel-space address through syscall parameters, an attacker bypasses ring separation and executes arbitrary instructions with kernel privileges.
RemediationAI
Upgrade immediately to NovumOS version 0.24 or later, available at https://github.com/MinecAnton209/NovumOS/releases/tag/v0.24, which implements address validation for Syscall 12 entry points. For environments unable to upgrade immediately, the vendor advisory recommends two compensating controls with significant operational impact: (1) Run the system in single-user mode without Ring 3 privilege level, effectively disabling all user-mode process execution - this eliminates the attack surface but removes multi-user functionality and application isolation. (2) Disable user-mode processes entirely by running only the kernel shell with no user processes - this reduces the OS to kernel-only operation, negating the purpose of ring separation. Both workarounds severely limit system utility and are only viable for development/testing environments or systems that can operate with kernel-only code. Production deployments should prioritize immediate patching to v0.24, as the workarounds fundamentally disable core OS functionality. Organizations should audit which systems run NovumOS (likely embedded devices, research platforms, or specialized controllers) and establish a patch timeline based on change control processes.
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23630