GamersFirst Anti-Cheat Driver Has 3 CVEs in Windows
An anti-cheat system designed to keep games fair has instead introduced a serious security gap. CERT/CC at Carnegie Mellon University disclosed three vulnerabilities in the GamersFirst Anti-Cheat driver. All three reside in the driver developed by publisher Little Orbit.
How the Driver Works and Where It Fails
The flaws reside in the driver file GFAC_Sys_x64.sys. This driver operates at the Windows kernel level. It grants ordinary applications access to privileged functions through a minifilter communication port.
Anti-cheat software needs this mechanism to monitor the system. However, GFAC enforces access restrictions too loosely and validates incoming data inadequately.
CVE-2026-12166 Null-Pointer Crash (CVSS 5.5, Medium)
CVE-2026-12166 allows a local user to crash the driver by triggering a null-pointer dereference. A successful exploit brings down the entire system. It also triggers the Windows blue screen of death.
CVE-2026-12167 Weak Port Access Controls (CVSS 7.8, High)
CVE-2026-12167 stems from weak access controls on the driver’s communication port. As a result, low-privileged users can connect to GFAC_Sys_x64.sys. They can then reach functions that should be restricted to trusted processes only.
CVE-2026-12168 Kernel Write Primitive, Privilege Escalation to SYSTEM (CVSS 7.8, High)
CVE-2026-12168 is the most critical of the three. It also scores 7.8 (High). The driver accepts messages from user-space applications. However, it does not properly validate memory addresses before writing.
An attacker can craft a malicious request. That request causes the driver to write arbitrary data into a chosen kernel memory region. That capability allows modification of sensitive Windows structures, including process security tokens. Consequently, an attacker can escalate privileges all the way to SYSTEM level.
Combined Impact and Risk
According to CERT, this combination of flaws is serious. A local attacker can crash the system, gain maximum privileges, or execute unauthorized code. The risk is compounded by the fact that privileged driver functions remain accessible to untrusted users.
No Patch Available, What Users Should Do Now
Researchers were unable to coordinate disclosure with Little Orbit. Until a patch is available, users should restrict local machine access to trusted accounts only. They should also monitor for suspicious requests to GFAC. Where possible, they should uninstall or disable games that rely on the GamersFirst Anti-Cheat driver.
CERT publicly disclosed these vulnerabilities on July 2, 2026.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.