Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local vector and no UI since a low-privileged user sends IOCTLs to the kernel port (AV:L/PR:L/UI:N); kernel code execution yields full C/I/A high with unchanged scope.
Primary rating from Vendor (certcc).
CVSS VectorVendor: certcc
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
An improper validation vulnerability for driver GFAC_Sys_x64.sys in Little Orbit GFAC allows a local attacker to escalate privileges to SYSTEM and execute arbitrary code in kernel mode via crafted messages sent through a Minifilter communication port.
AnalysisAI
Local privilege escalation in Little Orbit's GameFirst Anti-Cheat (GFAC) lets a low-privileged user reach SYSTEM and run arbitrary code in kernel mode by sending crafted messages to the GFAC_Sys_x64.sys minifilter communication port. All GameFirst Anti-Cheat builds up to and including the 2025-07-07 release are affected, and a public GitHub repository covering this CVE alongside two sibling flaws indicates exploit material is available. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires local access with at least a low-privileged user account on a Windows host that has Little Orbit GameFirst Anti-Cheat installed and its GFAC_Sys_x64.sys driver loaded - the attacker must be able to open and send messages to the driver's minifilter communication port. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) accurately frames this as a high-severity local escalation, not a remote entry point: an attacker must already have code execution as a low-privileged local user, but from there exploitation is low-complexity, requires no user interaction, and yields full confidentiality, integrity, and availability impact by reaching SYSTEM/kernel. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has gained low-privileged code execution on a gaming workstation - for example via a malicious mod, phishing payload, or a compromised standard user account - opens a handle to the GFAC minifilter communication port and sends a crafted, malformed message that the driver fails to validate. The resulting kernel-mode memory corruption is leveraged to execute attacker-controlled code as SYSTEM, completing a full local privilege escalation; a public repository referencing this CVE increases the likelihood that working exploit code is available. |
| Remediation | No vendor-released patched version number is identified in the available data; the EUVD record only bounds the vulnerable range as ≤2025-07-07, implying a later fixed build exists but without a confirmed version. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify and document all systems running GFAC versions through 2025-07-07, prioritizing those with internet access or sensitive data. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Gamefirst Anti Cheat
View allLocal privilege escalation in Little Orbit's GameFirst Anti-Cheat (GFAC) kernel driver GFAC_Sys_x64.sys allows an unpriv
NULL pointer dereference in the GFAC_Sys_x64.sys kernel driver of Little Orbit's GameFirst Anti-Cheat enables a local lo
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41378
GHSA-vh4v-p8g7-pj9w