Login Sign Up

CVE-2026-3796

5.3 MEDIUM

📋 TL;DR

This vulnerability in Qi-ANXIN QAX Virus Removal allows local attackers to bypass access controls through improper handling in the ZwTerminateProcess function. Attackers with local access can exploit this to terminate processes they shouldn't have permission to access. Only users of Qi-ANXIN QAX Virus Removal up to October 22, 2025 are affected.

💻 Affected Systems

Products:
  • Qi-ANXIN QAX Virus Removal
Versions: All versions up to 2025-10-22
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Requires the QKSecureIO_Imp.sys driver to be loaded, which is part of the antivirus software installation.

📦 What is this software?

Qax Internet Control Gateway by Qianxin

View all CVEs affecting Qax Internet Control Gateway →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privilege escalation allowing attackers to terminate critical system processes, potentially causing system instability or facilitating further attacks.

🟠

Likely Case

Local users can terminate processes they shouldn't have access to, potentially disrupting antivirus protection or other security software.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to process termination without privilege escalation.

🌐 Internet-Facing: LOW - The vulnerability requires local execution and cannot be exploited remotely.
🏢 Internal Only: MEDIUM - Local attackers can exploit this, but requires initial access to the system.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit code is publicly available on GitHub as 'FocusKiller'. Attack requires local execution privileges.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available - vendor did not respond to disclosure

Restart Required: No

Instructions:

No official patch available. Consider alternative antivirus solutions or implement workarounds.

🔧 Temporary Workarounds

Disable or remove vulnerable driver

windows

Prevent loading of the vulnerable QKSecureIO_Imp.sys driver

sc stop QKSecureIO
sc delete QKSecureIO

Uninstall vulnerable software

windows

Remove Qi-ANXIN QAX Virus Removal completely

Control Panel > Programs > Uninstall a program > Select Qi-ANXIN QAX Virus Removal

🧯 If You Can't Patch

  • Implement strict local access controls and monitor for suspicious process termination attempts
  • Deploy application whitelisting to prevent unauthorized execution of exploit tools

🔍 How to Verify

Check if Vulnerable:

Check if QKSecureIO_Imp.sys driver is loaded: Open Device Manager > View > Show hidden devices > Look for QKSecureIO driver

Check Version:

Check program version in Control Panel > Programs > Qi-ANXIN QAX Virus Removal properties

Verify Fix Applied:

Verify driver is not loaded and Qi-ANXIN software version is newer than 2025-10-22

📡 Detection & Monitoring

Log Indicators:

  • Unexpected process termination events
  • Access denied errors for process termination attempts
  • Driver loading/unloading events for QKSecureIO

Network Indicators:

  • None - local-only vulnerability

SIEM Query:

EventID=4689 OR EventID=4656 with process name containing 'ZwTerminateProcess' or driver name 'QKSecureIO'

📊 Metadata

CVE ID: CVE-2026-3796
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-266
Published: March 9, 2026
Last Updated: March 10, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-3796, you might also want to check these:

CVE-2026-23800 10.0

This vulnerability allows attackers to escalate privileges in Modular DS modular-connector WordPress...

Same vulnerability type (CWE-266)
CVE-2026-23550 10.0

This critical vulnerability in Modular DS allows attackers to escalate privileges due to incorrect p...

Same vulnerability type (CWE-266)
CVE-2025-41115 10.0

A critical vulnerability in Grafana's SCIM provisioning allows malicious SCIM clients to provision u...

Same vulnerability type (CWE-266)