Severity by source
AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Lifecycle Timeline
9DescriptionGitHub Advisory
NovumOS is a custom 32-bit operating system written in Zig and x86 Assembly. In versions prior to 0.24, Syscall 15 (MemoryMapRange) allows Ring 3 user-mode processes to map arbitrary virtual address ranges into their address space without validating against forbidden regions, including critical kernel structures such as the IDT, GDT, TSS, and page tables. A local attacker can exploit this to modify kernel interrupt handlers, resulting in privilege escalation from user mode to kernel context. This issue has been fixed in version 0.24.
AnalysisAI
Privilege escalation in NovumOS versions prior to 0.24 allows local unprivileged attackers to gain kernel-level execution by manipulating core kernel structures. The vulnerable Syscall 15 (MemoryMapRange) permits user-mode processes to map arbitrary virtual memory regions, including protected kernel areas (IDT, GDT, TSS, page tables), enabling modification of interrupt handlers for privilege elevation. CISA SSVC framework confirms POC availability with total technical impact, though EPSS exploitation probability remains very low (0.01%, 2nd percentile), indicating research-phase discovery rather than widespread targeting. No CISA KEV listing at time of analysis. Vendor-released patch available in version 0.24.
Technical ContextAI
NovumOS is a custom 32-bit operating system implemented in Zig programming language and x86 Assembly, representing a research/educational OS project. The vulnerability exists in the system call interface layer - specifically Syscall 15 (MemoryMapRange) - which manages virtual-to-physical memory mapping for user processes operating at Ring 3 privilege level. In x86 architecture, critical kernel data structures must be protected from user-mode modification: the Interrupt Descriptor Table (IDT) defines interrupt/exception handlers, the Global Descriptor Table (GDT) establishes memory segmentation and privilege rings, the Task State Segment (TSS) manages hardware context switching, and page tables control virtual memory translation. The root cause aligns with CWE-269 (Improper Privilege Management), where the syscall lacks boundary validation against protected kernel address ranges. This represents a fundamental memory protection failure in the operating system's security model, allowing Ring 3 code to breach the Ring 0 kernel boundary through legitimate system call interface rather than traditional buffer overflow exploitation.
RemediationAI
Upgrade immediately to NovumOS version 0.24 or later, available at https://github.com/MinecAnton209/NovumOS/releases/tag/v0.24, which implements proper boundary validation in the MemoryMapRange syscall to prevent mapping of protected kernel address ranges. If immediate upgrade is not feasible, implement strict application whitelisting to prevent execution of untrusted user-mode code, as exploitation requires ability to invoke Syscall 15 from a running process. For development/testing environments, consider running NovumOS instances in isolated virtual machines with no network connectivity and restricted host access to limit potential lateral movement if kernel compromise occurs - note this does not prevent the vulnerability but contains blast radius. Disabling or removing Syscall 15 functionality entirely would prevent exploitation but will break legitimate applications relying on custom memory mapping, causing application failures. No partial workaround exists that maintains full functionality while preventing exploitation; upgrade to 0.24 is the only complete remediation path. Audit any code previously executed on vulnerable versions for potential kernel-level persistence mechanisms installed through IDT/GDT manipulation.
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23640