{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/639124#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nThe GamersFirst Anti-Cheat (GFAC) driver GFAC.sys contains multiple local privilege escalations and denial-of-service vulnerabilities stemming from insecure handling of user-controlled input through a minifilter communication port. A local attacker can abuse these flaws to perform arbitrary kernel memory writes, obtain privilege escalation to SYSTEM, or trigger a system crash.\r\n\r\n### Description\r\nGFAC is a proprietary anti-cheat software developed by video game publisher Little Orbit. GFAC includes a kernel-mode driver, `GFAC_Sys_x64.sys`, that exposes privileged functionality to user-mode applications through a minifilter communication port. Although these low-level interfaces are necessary for the software's operation, vulnerabilities can arise if user-mode access is not properly restricted and validated.\r\n\r\n**CVE-2026-12166** `GFAC_Sys_x64.sys` contains a NULL pointer dereference condition in its initialization and request handling logic. A local attacker can trigger the vulnerable code path, causing the driver to read or write to a memory address assigned as NULL. Successful exploitation results in a system crash (“blue screen of death”). \r\n\r\n**CVE-2026-12167** The minifilter communication port that `GFAC_Sys_x64.sys` exposes does not enforce sufficiently restrictive security descriptors. As a result, low-privileged users can establish connections to the driver and access functions intended only for trusted processes. [RM1.1][MB1.2][RM1.3]User access to privileged functions could help an attacker take advantage of other weaknesses in the driver. \r\n\r\n**CVE-2026-12168** `GFAC_Sys_x64.sys` processes messages received through a minifilter communication port without properly validating user-supplied memory addresses before performing write operations. An attacker can provide a crafted request containing a desired destination address and data value, causing the driver to write arbitrary data to kernel memory. This write-what-where condition can be leveraged to modify sensitive operating system structures, such as process security tokens, resulting in privilege escalation to SYSTEM.\r\n\r\n### Impact\r\nMultiple vulnerabilities in the driver may allow local attackers to crash the system, escalate privileges to SYSTEM, or execute unauthorized code. Due to insufficient access controls, privileged driver functionality is exposed to untrusted users, increasing the likelihood and impact of exploitation.\r\n\r\n### Solution\r\nUnfortunately, we were unable to reach the vendor to coordinate this vulnerability. Users should restrict local access to trusted users and monitor systems for unauthorized interactions with GFAC. Where available, games that utilize GFAC should be disabled or removed until an update is available to address the identified vulnerabilities.  \r\n\r\n### Acknowledgements\r\nThanks to Lucian Alexandru Necula for identifying and disclosing these vulnerabilities. This document was written by Michael Bragg.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/639124"},{"url":"https://www.littleorbit.com/","summary":"https://www.littleorbit.com/"},{"url":"https://github.com/FzRsLLaSheR/CVE-2026-12166_CVE-2026-12167_CVE-2026-12168","summary":"https://github.com/FzRsLLaSheR/CVE-2026-12166_CVE-2026-12167_CVE-2026-12168"}],"title":"Multiple local privilege escalation vulnerabilities in Little Orbits GameFirst Anti-Cheat","tracking":{"current_release_date":"2026-07-02T15:07:10+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.43"}},"id":"VU#639124","initial_release_date":"2026-07-02 14:34:36.449533+00:00","revision_history":[{"date":"2026-07-02T15:07:10+00:00","number":"1.20260702150710.4","summary":"Released on 2026-07-02T15:07:10+00:00"}],"status":"final","version":"1.20260702150710.4"}},"vulnerabilities":[{"title":"An improper validation vulnerability for driver `GFAC_Sys_x64.","notes":[{"category":"summary","text":"An improper validation vulnerability for driver `GFAC_Sys_x64.sys` in Little Orbit GFAC allows a local attacker to escalate privileges to SYSTEM and execute arbitrary code in kernel mode via crafted messages sent through a Minifilter communication port."}],"cve":"CVE-2026-12168","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#639124"}]},{"title":"A NULL pointer dereference vulnerability for driver `GFAC_Sys_x64.","notes":[{"category":"summary","text":"A NULL pointer dereference vulnerability for driver `GFAC_Sys_x64.sys` in Little Orbit GFAC allows a local attacker to cause a denial of service via crafted requests that trigger a system crash."}],"cve":"CVE-2026-12166","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#639124"}]},{"title":"The Minifilter communication port for driver `GFAC_Sys_x64.","notes":[{"category":"summary","text":"The Minifilter communication port for driver `GFAC_Sys_x64.sys` in Little Orbit GFAC allows a local attacker to access privileged driver functionality via a communication interface that lacks appropriate access restrictions."}],"cve":"CVE-2026-12167","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#639124"}]}],"product_tree":{"branches":[]}}