CVE-2026-12168
Received Received - Intake

Improper Validation in Little Orbit GFAC Driver

Vulnerability report for CVE-2026-12168, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: CERT/CC

Description

An improper validation vulnerability for driver `GFAC_Sys_x64.sys` in Little Orbit GFAC allows a local attacker to escalate privileges to SYSTEM and execute arbitrary code in kernel mode via crafted messages sent through a Minifilter communication port.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
little_orbit gamefirst_anti-cheat 0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows a local attacker to escalate privileges to SYSTEM level and execute arbitrary code in kernel mode, potentially leading to full system compromise.

Such unauthorized privilege escalation and system control could result in unauthorized access to sensitive data, which may impact compliance with standards and regulations like GDPR and HIPAA that require protection of personal and health information.

However, the provided information does not explicitly discuss the direct impact on compliance with these regulations.

Detection Guidance

This vulnerability involves the GFAC_Sys_x64.sys driver used by Little Orbit's GameFirst Anti-Cheat software. Detection would focus on identifying the presence of this driver on the system.

You can check if the vulnerable driver is loaded by running commands that list loaded drivers or installed software related to GFAC.

  • On Windows, use the command: `sc query GFAC_Sys_x64` to check if the driver service is running.
  • Alternatively, use `driverquery | findstr GFAC_Sys_x64.sys` to see if the driver is loaded.
  • You can also check for installed games or software from Little Orbit that include the GFAC driver.

Since the vulnerability is local and involves crafted messages sent through a minifilter communication port, network detection is not applicable.

Executive Summary

CVE-2026-12168 is a local privilege escalation vulnerability in the Little Orbit GFAC driver, specifically in the GFAC_Sys_x64.sys component. The vulnerability occurs because the driver does not properly validate user-supplied memory addresses when processing messages sent through a minifilter communication port. This improper validation allows a local attacker to send crafted messages that cause arbitrary kernel memory writes, known as a "write-what-where" condition.

By exploiting this flaw, an attacker can modify critical operating system structures, such as process security tokens, which enables them to escalate their privileges to SYSTEM level and execute arbitrary code in kernel mode.

Impact Analysis

This vulnerability can have severe impacts on affected systems. A local attacker with low privileges can exploit it to gain SYSTEM-level privileges, effectively gaining full control over the system.

  • Execution of arbitrary code in kernel mode.
  • Modification of critical OS structures, such as security tokens.
  • Complete system compromise.

Because the vulnerability is in a driver used by multiple games and may be present even when not actively gaming, systems with the GFAC driver installed are at risk. Since no patch is currently available, users are advised to restrict local access and disable or remove GFAC-dependent games to mitigate risk.

Mitigation Strategies

Since no patch or fix has been released by the vendor, immediate mitigation steps focus on limiting exposure and removing the vulnerable component.

  • Restrict local access to the system to trusted users only to prevent exploitation by untrusted local attackers.
  • Disable or uninstall the Little Orbit GameFirst Anti-Cheat software and any games that depend on the GFAC driver.
  • Monitor for any suspicious local activity that might indicate exploitation attempts.

These steps reduce the risk of privilege escalation until an official patch or update is provided.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12168. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart