CVE-2026-3796 identifies a vulnerability in Qi-ANXIN's QAX Virus Removal software, specifically in the ZwTerminateProcess function within the QKSecureIO_Imp.sys Mini Filter Driver component. This function is responsible for terminating processes at the kernel level. Due to improper access control mechanisms, a local attacker with low-level privileges can manipulate this function to terminate arbitrary processes without proper authorization. The vulnerability arises from insufficient validation of the caller's permissions before allowing process termination, which could lead to unauthorized termination of critical system or security processes. The attack vector is local, requiring the attacker to have some level of access to the affected system, but does not require user interaction or elevated privileges beyond low-level local access. The vendor was notified early but has not issued any response or patch, and the exploit code has been made publicly available, increasing the risk of exploitation. The CVSS v4.0 score is 4.8, reflecting a medium severity level due to the limited attack vector and scope but notable impact on system integrity and availability. No known exploits in the wild have been reported to date.

The vulnerability allows a local attacker to terminate arbitrary processes, potentially disrupting critical system functions or security services, leading to denial of service or privilege escalation scenarios. This can undermine the integrity and availability of the affected system, especially if security or antivirus processes are terminated. Organizations relying on Qi-ANXIN QAX Virus Removal for endpoint protection may face increased risk of compromise or system instability. The lack of vendor response and patch availability prolongs exposure, increasing the window for potential exploitation. While remote exploitation is not possible, insider threats or malware with local access could leverage this flaw to escalate privileges or disable defenses. This could impact operational continuity, data integrity, and system security posture.

Until an official patch is released, organizations should implement strict local access controls to limit the number of users with local system access. Employ application whitelisting and endpoint detection to monitor and restrict unauthorized process terminations. Use host-based intrusion prevention systems (HIPS) to detect abnormal calls to ZwTerminateProcess or attempts to manipulate the Mini Filter Driver. Regularly audit running processes and system logs for unusual termination events. Consider isolating critical systems running Qi-ANXIN QAX Virus Removal from untrusted users and networks. Engage with the vendor for updates and monitor security advisories for patch releases. If feasible, temporarily disable or replace the vulnerable component with alternative security solutions until remediation is available.