Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Wellbia's XIGNCODE3 xhunter1.sys kernel driver Privilege Escalation Vulnerability provides access to IRP_MJ_REITS command interface, which allows any user process to request a PROCESS_ALL_ACCESS. Cross reference to KVE 2023-5589 (https://krcert.or.kr)
AnalysisAI
Local privilege escalation in Wellbia XIGNCODE3 anti-cheat driver (xhunter1.sys) allows any low-privileged user process to obtain a PROCESS_ALL_ACCESS handle to arbitrary processes by sending the IRP_MJ_REITS command to the kernel driver. Because XIGNCODE3 is bundled with many online games and runs with kernel privileges, a local attacker on an affected gaming system can hijack high-integrity processes including LSASS. Publicly available exploit code exists in the form of a detailed write-up, though EPSS exploitation probability remains very low at 0.02%.
Technical ContextAI
XIGNCODE3 is a commercial anti-cheat product by Wellbia that ships a kernel-mode driver (xhunter1.sys) loaded on Windows endpoints running supported games. The driver exposes an IOCTL/IRP dispatch table; in this case the IRP_MJ_REITS major function handler accepts requests from user-mode callers without adequately validating the requestor's identity or intended target, then returns a handle to a target process opened with PROCESS_ALL_ACCESS. This is functionally a missing access-control / over-privileged handle issuance bug in a signed kernel driver (a CWE-269/CWE-782 style flaw, though no CWE is assigned in NVD), and the case is closely related to the prior KrCERT-tracked issue KVE-2023-5589 referenced in the disclosure. The CPE confines impact to cpe:2.3:a:wellbia:xigncode3_anti-cheat, with EUVD pinning the affected build to XIGNCODE3 Anti-Cheat 10.0.10011.16384.
RemediationAI
No vendor-released patch identified at time of analysis - the supplied references include only KrCERT (https://krcert.or.kr) and the third-party write-up at https://blacksnufkin.github.io/posts/AntiCheat-LPE-CVE-2026-3609/, with no Wellbia advisory or fixed build listed. Defenders should contact Wellbia or the bundling game publisher for an updated XIGNCODE3 build superseding 10.0.10011.16384, and in the interim apply compensating controls: uninstall games that load xhunter1.sys on sensitive endpoints (workstations used for admin tasks, developer machines, anything joined to a privileged domain), and add xhunter1.sys to the Microsoft Vulnerable Driver Blocklist or a WDAC policy so the driver cannot load - the trade-off is that any game depending on XIGNCODE3 will refuse to start. Where blocklisting is too disruptive, restrict the driver to dedicated, non-privileged gaming-only systems segmented from corporate identity and credential material, and monitor for unexpected OpenProcess calls and IRP traffic to \Device\xhunter1 via EDR.
Same technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29110
GHSA-4gcg-jv45-v47x