{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/novumos/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9,"id":"CVE-2026-40572"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["privilege-escalation","novumOS","CVE-2026-40572"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eNovumOS, a custom 32-bit operating system written in Zig and x86 Assembly, is vulnerable to a critical privilege escalation flaw. Specifically, versions prior to 0.24 contain a vulnerability in Syscall 15, also known as MemoryMapRange. This syscall allows Ring 3 user-mode processes to map arbitrary virtual address ranges into their address space. This includes forbidden regions that should be protected, such as critical kernel structures including the Interrupt Descriptor Table (IDT), Global Descriptor Table (GDT), Task State Segment (TSS), and page tables. An attacker with local access to a vulnerable NovumOS system can exploit this vulnerability to gain kernel-level privileges, allowing for complete system compromise. This vulnerability is identified as CVE-2026-40572, and has a CVSS v3.1 base score of 9.0. The vulnerability is fixed in NovumOS version 0.24.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA local attacker gains initial access to a NovumOS system. This may involve having an existing user account or exploiting another vulnerability for initial entry.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a user-mode process with the intention of escalating privileges.\u003c/li\u003e\n\u003cli\u003eThe process invokes Syscall 15 (MemoryMapRange) with arguments specifying a virtual address range corresponding to a critical kernel structure, such as the IDT.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability in NovumOS versions prior to 0.24, the MemoryMapRange syscall does not properly validate the requested memory region.\u003c/li\u003e\n\u003cli\u003eThe syscall allows the user-mode process to successfully map the kernel memory region into its own address space.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the mapped kernel memory, specifically overwriting entries in the IDT to redirect interrupt handlers to attacker-controlled code.\u003c/li\u003e\n\u003cli\u003eAn interrupt is triggered, either by a hardware event or a software instruction, causing the system to execute the attacker\u0026rsquo;s code in kernel mode.\u003c/li\u003e\n\u003cli\u003eThe attacker now has kernel-level privileges and can perform any action on the system, including installing backdoors, exfiltrating data, or causing a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40572 allows a local attacker to escalate privileges from user mode to kernel mode on NovumOS systems running versions prior to 0.24. This grants the attacker complete control over the affected system. The attacker can then install persistent backdoors, steal sensitive data, or disrupt system operations. Given the base score of 9.0, this is considered a critical vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade NovumOS installations to version 0.24 or later to patch CVE-2026-40572.\u003c/li\u003e\n\u003cli\u003eImplement system call monitoring to detect suspicious invocations of Syscall 15 (MemoryMapRange). The \u003ccode\u003eMemoryMapRange Syscall Invocation\u003c/code\u003e Sigma rule below can assist with this.\u003c/li\u003e\n\u003cli\u003eMonitor for unexpected modifications to kernel structures such as the IDT, GDT, and TSS. The \u003ccode\u003eKernel Structure Modification\u003c/code\u003e Sigma rule below can assist with this.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-18T01:16:19Z","date_published":"2026-04-18T01:16:19Z","id":"/briefs/2024-01-28-novum-privesc/","summary":"A vulnerability exists in NovumOS versions prior to 0.24 where the MemoryMapRange syscall allows user-mode processes to map arbitrary virtual address ranges, including kernel structures, leading to privilege escalation.","title":"NovumOS MemoryMapRange Privilege Escalation Vulnerability (CVE-2026-40572)","url":"https://feed.craftedsignal.io/briefs/2024-01-28-novum-privesc/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.3,"id":"CVE-2026-40317"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["privilege-escalation","syscall","novumos"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eNovumOS, a custom 32-bit operating system built with Zig and x86 Assembly, is vulnerable to a critical privilege escalation. Prior to version 0.24, Syscall 12, known as JumpToUser, fails to validate the entry point address provided by user-space registers. This flaw allows any process running in Ring 3 (user mode) to redirect execution to kernel addresses, thereby executing arbitrary code within the Ring 0 context (kernel mode). This effectively grants user-level processes complete control over the system. The vulnerability was addressed and patched in NovumOS version 0.24. Organizations using affected versions of NovumOS are at risk of local privilege escalation attacks. The recommended mitigation is to upgrade to version 0.24. If immediate upgrading is not feasible, a temporary mitigation involves restricting syscall access by operating in single-user mode without Ring 3 and disabling user-mode processes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user-mode process is initiated in Ring 3.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious payload containing the address of a kernel function or memory region they wish to control.\u003c/li\u003e\n\u003cli\u003eThe attacker places the malicious kernel address into the registers used by Syscall 12 (JumpToUser).\u003c/li\u003e\n\u003cli\u003eThe user-mode process invokes Syscall 12.\u003c/li\u003e\n\u003cli\u003eDue to the lack of validation in versions prior to 0.24, the system accepts the attacker-controlled address.\u003c/li\u003e\n\u003cli\u003eThe CPU begins executing code at the attacker-specified kernel address in Ring 0.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s code can now perform privileged operations, modify kernel data structures, or execute other kernel functions.\u003c/li\u003e\n\u003cli\u003eThe attacker has successfully escalated their privileges to the highest level, potentially gaining full control over the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40317 allows an attacker to gain complete control over a NovumOS system. This could lead to data breaches, system instability, or the deployment of rootkits. The vulnerability impacts any system running NovumOS versions prior to 0.24. Given the nature of the vulnerability, a single successful exploit leads to total compromise of the host.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to NovumOS version 0.24 to patch CVE-2026-40317.\u003c/li\u003e\n\u003cli\u003eIf an upgrade is not immediately possible, restrict syscall access by running the system in single-user mode without Ring 3 as a temporary workaround.\u003c/li\u003e\n\u003cli\u003eDisable user-mode processes and only run the kernel shell to prevent exploitation of CVE-2026-40317.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-18T01:16:19Z","date_published":"2026-04-18T01:16:19Z","id":"/briefs/2026-04-novumos-lpe/","summary":"A local privilege escalation vulnerability exists in NovumOS versions before 0.24, where Syscall 12 (JumpToUser) lacks input validation, allowing user-mode processes to execute arbitrary code in kernel mode.","title":"NovumOS Local Privilege Escalation via Unvalidated Syscall","url":"https://feed.craftedsignal.io/briefs/2026-04-novumos-lpe/"}],"language":"en","title":"CraftedSignal Threat Feed — NovumOS","version":"https://jsonfeed.org/version/1.1"}