CISA issues alert on GFAC driver local privilege escalation
Little Orbit’s GamersFirst Anti-Cheat (GFAC) includes a kernel-mode driver, GFAC.sys, with multiple local privilege escalation and denial-of-service issues. These vulnerabilities involve insecure handling of user-controlled input through a minifilter communication port, enabling a local attacker to perform arbitrary kernel memory writes, gain privilege escalation to SYSTEM, or trigger a system crash.
The GFAC_Sys_x64.sys driver exposes privileged functionality to user-mode applications through a minifilter communication port. CVE-2026-12166 describes a NULL pointer dereference condition in the driver’s initialization and request handling logic, where exploitation causes the driver to read or write to a memory address assigned as NULL and results in a system crash, “blue screen of death.” CVE-2026-12167 states that the minifilter communication port does not enforce sufficiently restrictive security descriptors, allowing low-privileged users to connect and access functions intended only for trusted processes. CVE-2026-12168 states that GFAC_Sys_x64.sys processes messages received through the minifilter communication port without properly validating user-supplied memory addresses before performing write operations; a crafted request can provide a desired destination address and a data value to cause write-what-where behavior, modifying operating system structures such as process security tokens and leading to privilege escalation to SYSTEM.
The vulnerabilities may allow local attackers to crash the system, escalate privileges to SYSTEM, or execute unauthorized code. The advisory links these outcomes to insufficient access controls that expose privileged driver functionality to untrusted users, increasing the likelihood and impact of exploitation.
The advisory states that coordination with the vendor was not possible. It instructs users to restrict local access to trusted users and to monitor systems for unauthorized interactions with GFAC. It also states that where available, games that utilize GFAC should be disabled or removed until an update is available to address the identified vulnerabilities.
Thanks to Lucian Alexandru Necula for identifying and disclosing the vulnerabilities, and the document was written by Michael Bragg. Vendor information is available in the advisory references, including https://www.littleorbit.com/ and https://github.com/FzRsLLaSheR/CVE-2026-12166_CVE-2026-12167_CVE-2026-12168.