NovumOS local privilege escalation to kernel (CVE-2026-40317)
CVE-2026-40317
CVE-2026-40317 lets any standard user escalate to kernel-level root on NovumOS <0.24. An unvalidated syscall pointer grants full system control. Update to version 0.24 immediately.
Patch now - CVE-2026-40317 is a critical privilege escalation in NovumOS versions prior to 0.24 that lets any standard user execute code with full kernel privileges, completely bypassing all security boundaries. Update to version 0.24 to block this attack.
Overview
A critical security vulnerability in the NovumOS operating system allows any standard user to gain complete control of the system. Tracked as CVE-2026-40317, this flaw is due to a missing validation check in a specific system call, enabling local privilege escalation to the highest kernel level.
Vulnerability Details
NovumOS is a custom 32-bit operating system written in Zig and x86 Assembly. In versions prior to 0.24, the kernel’s Syscall 12, named JumpToUser, fails to validate a pointer address supplied by a user-space application. This lack of validation allows a malicious program running with normal user permissions (Ring 3) to specify a kernel memory address (Ring 0) as its entry point. Consequently, the attacker’s code is executed with full kernel privileges, bypassing all operating system security boundaries.
Impact
The impact of this vulnerability is severe. Any logged-in user, including unprivileged accounts, can exploit this flaw to escalate their privileges to root/kernel level (Ring 0). With this level of access, an attacker can install persistent malware, disable security controls, access all data on the system, and manipulate the operating system’s core functions. The CVSS v3.1 base score of 9.3 reflects the high severity, as the attack requires no privileges, no user interaction, and has low complexity.
Remediation and Mitigation
The primary and definitive solution is to update NovumOS to version 0.24, where this vulnerability has been patched. System administrators and developers should apply this update as soon as possible.
If an immediate update is not feasible, the following temporary mitigation can be applied:
- Restrict system access by running in single-user mode only.
- Disable all user-mode (Ring 3) processes. Operate the system using only the kernel shell, ensuring no untrusted user code can execute.
These mitigations are disruptive and intended only as a stopgap measure until the patched version can be installed.
Security Insight
This vulnerability is a classic example of a missing bounds check leading to a complete architectural bypass. It mirrors historical flaws in early operating systems where the transition between user and kernel mode was not rigorously guarded. For projects like NovumOS, which are in active development, this incident underscores the critical importance of implementing and auditing syscall handlers-the gatekeepers between security domains-with extreme rigor from the earliest stages. For more on the evolving threat landscape, see our security news coverage.
Further Reading
Never miss a critical vulnerability
Get real-time security alerts delivered to your preferred platform.
Related Advisories
NovumOS is a custom 32-bit operating system written in Zig and x86 Assembly. In versions prior to 0.24, Syscall 15 (MemoryMapRange) allows Ring 3 user-mode processes to map arbitrary virtual address r...
PraisonAI is a multi-agent teams system. Prior to version 4.6.34, PraisonAI's MCP (Model Context Protocol) server (praisonai mcp serve) registers four file-handling tools by default — praisonai.rules....
Lack of user input sanitisation in Open Notebook v1.8.3 allows the application user to execute Python code (and subsequently OS commands) on the docker container via Server-Side Template Injection (SS...
Apache Polaris can issue broad temporary ("vended") storage credentials during staged table creation before the effective table location has been validated or durably reserved. Those temporary creden...