Skip to main content

Wellbia XIGNCODE3 EUVDEUVD-2026-29110

| CVE-2026-3609 HIGH
2026-05-11 certcc GHSA-4gcg-jv45-v47x
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 09:05 vuln.today
CVSS changed
May 13, 2026 - 15:52 NVD
7.8 (HIGH)
CVE Published
May 11, 2026 - 16:25 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Wellbia's XIGNCODE3 xhunter1.sys kernel driver Privilege Escalation Vulnerability provides access to IRP_MJ_REITS command interface, which allows any user process to request a PROCESS_ALL_ACCESS. Cross reference to KVE 2023-5589 (https://krcert.or.kr)

AnalysisAI

Local privilege escalation in Wellbia XIGNCODE3 anti-cheat driver (xhunter1.sys) allows any low-privileged user process to obtain a PROCESS_ALL_ACCESS handle to arbitrary processes by sending the IRP_MJ_REITS command to the kernel driver. Because XIGNCODE3 is bundled with many online games and runs with kernel privileges, a local attacker on an affected gaming system can hijack high-integrity processes including LSASS. Publicly available exploit code exists in the form of a detailed write-up, though EPSS exploitation probability remains very low at 0.02%.

Technical ContextAI

XIGNCODE3 is a commercial anti-cheat product by Wellbia that ships a kernel-mode driver (xhunter1.sys) loaded on Windows endpoints running supported games. The driver exposes an IOCTL/IRP dispatch table; in this case the IRP_MJ_REITS major function handler accepts requests from user-mode callers without adequately validating the requestor's identity or intended target, then returns a handle to a target process opened with PROCESS_ALL_ACCESS. This is functionally a missing access-control / over-privileged handle issuance bug in a signed kernel driver (a CWE-269/CWE-782 style flaw, though no CWE is assigned in NVD), and the case is closely related to the prior KrCERT-tracked issue KVE-2023-5589 referenced in the disclosure. The CPE confines impact to cpe:2.3:a:wellbia:xigncode3_anti-cheat, with EUVD pinning the affected build to XIGNCODE3 Anti-Cheat 10.0.10011.16384.

RemediationAI

No vendor-released patch identified at time of analysis - the supplied references include only KrCERT (https://krcert.or.kr) and the third-party write-up at https://blacksnufkin.github.io/posts/AntiCheat-LPE-CVE-2026-3609/, with no Wellbia advisory or fixed build listed. Defenders should contact Wellbia or the bundling game publisher for an updated XIGNCODE3 build superseding 10.0.10011.16384, and in the interim apply compensating controls: uninstall games that load xhunter1.sys on sensitive endpoints (workstations used for admin tasks, developer machines, anything joined to a privileged domain), and add xhunter1.sys to the Microsoft Vulnerable Driver Blocklist or a WDAC policy so the driver cannot load - the trade-off is that any game depending on XIGNCODE3 will refuse to start. Where blocklisting is too disruptive, restrict the driver to dedicated, non-privileged gaming-only systems segmented from corporate identity and credential material, and monitor for unexpected OpenProcess calls and IRP traffic to \Device\xhunter1 via EDR.

Share

EUVD-2026-29110 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy