CVE-2026-40572 — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/cve-2026-40572/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioSat, 18 Apr 2026 01:16:19 +0000NovumOS MemoryMapRange Privilege Escalation Vulnerability (CVE-2026-40572)https://feed.craftedsignal.io/briefs/2024-01-28-novum-privesc/Sat, 18 Apr 2026 01:16:19 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-28-novum-privesc/A vulnerability exists in NovumOS versions prior to 0.24 where the MemoryMapRange syscall allows user-mode processes to map arbitrary virtual address ranges, including kernel structures, leading to privilege escalation.NovumOS, a custom 32-bit operating system written in Zig and x86 Assembly, is vulnerable to a critical privilege escalation flaw. Specifically, versions prior to 0.24 contain a vulnerability in Syscall 15, also known as MemoryMapRange. This syscall allows Ring 3 user-mode processes to map arbitrary virtual address ranges into their address space. This includes forbidden regions that should be protected, such as critical kernel structures including the Interrupt Descriptor Table (IDT), Global Descriptor Table (GDT), Task State Segment (TSS), and page tables. An attacker with local access to a vulnerable NovumOS system can exploit this vulnerability to gain kernel-level privileges, allowing for complete system compromise. This vulnerability is identified as CVE-2026-40572, and has a CVSS v3.1 base score of 9.0. The vulnerability is fixed in NovumOS version 0.24.

Attack Chain

  1. A local attacker gains initial access to a NovumOS system. This may involve having an existing user account or exploiting another vulnerability for initial entry.
  2. The attacker executes a user-mode process with the intention of escalating privileges.
  3. The process invokes Syscall 15 (MemoryMapRange) with arguments specifying a virtual address range corresponding to a critical kernel structure, such as the IDT.
  4. Due to the vulnerability in NovumOS versions prior to 0.24, the MemoryMapRange syscall does not properly validate the requested memory region.
  5. The syscall allows the user-mode process to successfully map the kernel memory region into its own address space.
  6. The attacker modifies the mapped kernel memory, specifically overwriting entries in the IDT to redirect interrupt handlers to attacker-controlled code.
  7. An interrupt is triggered, either by a hardware event or a software instruction, causing the system to execute the attacker’s code in kernel mode.
  8. The attacker now has kernel-level privileges and can perform any action on the system, including installing backdoors, exfiltrating data, or causing a denial of service.

Impact

Successful exploitation of CVE-2026-40572 allows a local attacker to escalate privileges from user mode to kernel mode on NovumOS systems running versions prior to 0.24. This grants the attacker complete control over the affected system. The attacker can then install persistent backdoors, steal sensitive data, or disrupt system operations. Given the base score of 9.0, this is considered a critical vulnerability.

Recommendation

  • Upgrade NovumOS installations to version 0.24 or later to patch CVE-2026-40572.
  • Implement system call monitoring to detect suspicious invocations of Syscall 15 (MemoryMapRange). The MemoryMapRange Syscall Invocation Sigma rule below can assist with this.
  • Monitor for unexpected modifications to kernel structures such as the IDT, GDT, and TSS. The Kernel Structure Modification Sigma rule below can assist with this.
]]>criticaladvisoryprivilege-escalationnovumOSCVE-2026-40572