Skip to main content

NovumOS EUVDEUVD-2026-23640

| CVE-2026-40572 CRITICAL
Improper Privilege Management (CWE-269)
2026-04-18 GitHub_M
9.0
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.0 CRITICAL
AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

9
Patch released
Apr 27, 2026 - 14:13 nvd
Patch available
Analysis Updated
Apr 27, 2026 - 14:12 vuln.today
v3 (cvss_changed)
Patch available
Apr 18, 2026 - 02:01 EUVD
Analysis Updated
Apr 18, 2026 - 01:27 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 18, 2026 - 01:22 vuln.today
cvss_changed
Analysis Generated
Apr 18, 2026 - 01:09 vuln.today
EUVD ID Assigned
Apr 18, 2026 - 01:00 euvd
EUVD-2026-23640
Analysis Generated
Apr 18, 2026 - 01:00 vuln.today
CVE Published
Apr 18, 2026 - 00:16 nvd
CRITICAL 9.0

DescriptionGitHub Advisory

NovumOS is a custom 32-bit operating system written in Zig and x86 Assembly. In versions prior to 0.24, Syscall 15 (MemoryMapRange) allows Ring 3 user-mode processes to map arbitrary virtual address ranges into their address space without validating against forbidden regions, including critical kernel structures such as the IDT, GDT, TSS, and page tables. A local attacker can exploit this to modify kernel interrupt handlers, resulting in privilege escalation from user mode to kernel context. This issue has been fixed in version 0.24.

AnalysisAI

Privilege escalation in NovumOS versions prior to 0.24 allows local unprivileged attackers to gain kernel-level execution by manipulating core kernel structures. The vulnerable Syscall 15 (MemoryMapRange) permits user-mode processes to map arbitrary virtual memory regions, including protected kernel areas (IDT, GDT, TSS, page tables), enabling modification of interrupt handlers for privilege elevation. CISA SSVC framework confirms POC availability with total technical impact, though EPSS exploitation probability remains very low (0.01%, 2nd percentile), indicating research-phase discovery rather than widespread targeting. No CISA KEV listing at time of analysis. Vendor-released patch available in version 0.24.

Technical ContextAI

NovumOS is a custom 32-bit operating system implemented in Zig programming language and x86 Assembly, representing a research/educational OS project. The vulnerability exists in the system call interface layer - specifically Syscall 15 (MemoryMapRange) - which manages virtual-to-physical memory mapping for user processes operating at Ring 3 privilege level. In x86 architecture, critical kernel data structures must be protected from user-mode modification: the Interrupt Descriptor Table (IDT) defines interrupt/exception handlers, the Global Descriptor Table (GDT) establishes memory segmentation and privilege rings, the Task State Segment (TSS) manages hardware context switching, and page tables control virtual memory translation. The root cause aligns with CWE-269 (Improper Privilege Management), where the syscall lacks boundary validation against protected kernel address ranges. This represents a fundamental memory protection failure in the operating system's security model, allowing Ring 3 code to breach the Ring 0 kernel boundary through legitimate system call interface rather than traditional buffer overflow exploitation.

RemediationAI

Upgrade immediately to NovumOS version 0.24 or later, available at https://github.com/MinecAnton209/NovumOS/releases/tag/v0.24, which implements proper boundary validation in the MemoryMapRange syscall to prevent mapping of protected kernel address ranges. If immediate upgrade is not feasible, implement strict application whitelisting to prevent execution of untrusted user-mode code, as exploitation requires ability to invoke Syscall 15 from a running process. For development/testing environments, consider running NovumOS instances in isolated virtual machines with no network connectivity and restricted host access to limit potential lateral movement if kernel compromise occurs - note this does not prevent the vulnerability but contains blast radius. Disabling or removing Syscall 15 functionality entirely would prevent exploitation but will break legitimate applications relying on custom memory mapping, causing application failures. No partial workaround exists that maintains full functionality while preventing exploitation; upgrade to 0.24 is the only complete remediation path. Audit any code previously executed on vulnerable versions for potential kernel-level persistence mechanisms installed through IDT/GDT manipulation.

Share

EUVD-2026-23640 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy