CVE-2026-3796 identifies an improper access control vulnerability in Qi-ANXIN's QAX Virus Removal software, specifically within the ZwTerminateProcess function of the QKSecureIO_Imp.sys Mini Filter Driver component. This function is responsible for terminating processes at the kernel level. The vulnerability arises because the access control mechanisms governing this function are insufficient, allowing a local attacker with limited privileges (PR:L) to manipulate process termination operations improperly. The attack vector is local, meaning the attacker must have access to the system, but no user interaction is required to exploit the flaw. The vulnerability impacts confidentiality, integrity, and availability to a limited extent by enabling unauthorized termination of processes, potentially leading to privilege escalation or denial of service. The CVSS 4.0 base score is 4.8 (medium), reflecting the limited attack scope but notable impact. The vendor was contacted early but has not issued a patch or response, and a public exploit is available, increasing the risk of exploitation. No known exploits in the wild have been reported yet, but the public availability of exploit code raises the likelihood of future attacks. The vulnerability affects versions of QAX Virus Removal up to 2025-10-22. The lack of vendor response and patch availability means organizations must rely on compensating controls until an official fix is released.

The vulnerability allows a local attacker with limited privileges to improperly terminate processes, which can lead to unauthorized disruption of system operations, potential privilege escalation, or denial of service. This could compromise system stability and security, especially if critical security or system processes are terminated. Although remote exploitation is not possible, insider threats or malware with local access could leverage this flaw to escalate privileges or evade detection by terminating security tools. The availability of a public exploit increases the risk of exploitation, potentially leading to increased incidents of unauthorized access or system compromise. Organizations relying on Qi-ANXIN QAX Virus Removal for endpoint protection may experience reduced effectiveness of their security posture if this vulnerability is exploited. The lack of vendor remediation further exacerbates the risk, as no official patch is currently available to address the issue.

1. Restrict local user privileges to the minimum necessary to reduce the risk of exploitation by low-privileged users. 2. Implement strict access control policies and monitor for unusual process termination activities, especially those involving security or system processes. 3. Employ host-based intrusion detection systems (HIDS) or endpoint detection and response (EDR) solutions to detect and alert on suspicious use of ZwTerminateProcess or related kernel-level operations. 4. Isolate critical systems and limit local access to trusted personnel only. 5. Regularly audit and review system logs for signs of exploitation attempts. 6. Engage with Qi-ANXIN for updates and monitor for any forthcoming patches or advisories. 7. Consider temporary alternative security solutions if the risk is deemed unacceptable and no patch is forthcoming. 8. Educate internal teams about the vulnerability and the importance of minimizing local access and privilege escalation risks.