Kingsoft and 360 Security Guard drivers contain privilege escalation flaws

by Anika Shah - Technology
0 comments

Security researcher Patrick Saif, known online as @weezerOSINT, disclosed on April 13, 2026, that kernel drivers in two of China’s most prominent antivirus programs—Kingsoft Antivirus and 360 Security Guard—contain high-risk vulnerabilities. These flaws allow a local user to escalate privileges from a standard account to the highest Windows SYSTEM level, effectively granting a hacker total control over the target machine.

The irony is sharp. Software designed to harden a system’s perimeter has instead provided a wide-open door for attackers.

How the technical flaws work

Kingsoft’s kdhacker64_ev.sys driver suffers from a buffer allocation failure. When the driver receives user input via IOCTL 0x120140, it allocates only half the necessary space. Writing 1,160 bytes into a 584-byte buffer triggers a 512-byte kernel pool overflow. Because the driver lacks boundary checks during the RtlInitUnicodeString call, an attacker can employ this overflow to seize the system.

How the technical flaws work
Security Guard Security Windows

360 Security Guard’s DsArk64.sys driver presents a different but equally severe risk. It allows a 4-byte process ID to be passed via an IOCTL interface, which then calls the ZwTerminateProcess function at Ring 0. This bypasses Protected Process Light (PPL) mechanisms, letting an attacker kill any process on the system.

The 360 driver also includes a kernel read/write feature encrypted with AES-128-CBC. The decryption key is hardcoded in the .data segment of the binary file and remains identical across all versions, making it trivial for attackers to decrypt and exploit.

Why official signatures increase the risk

Both drivers carry official EV or WHQL signatures. This is the critical failure point. Normally, Windows blocks the loading of unsigned or malicious drivers, but these signatures act as a trusted passport.

Attackers don’t need to trick a user into installing modern software. They can simply load these legitimate, signed drivers to deliver a malicious payload. This bypasses Kernel Address Space Layout Randomization (KASLR) and allows for the theft of kernel credentials or the modification of kernel callback tables to hide malicious activity.

The vulnerabilities are currently listed in the LOLDrivers database. Neither has received a CVE number, and they aren’t on the Hypervisor-Protected Code Integrity (HVCI) blocklist yet.

Can attackers use these without installing the antivirus?

Yes. Because the drivers have EV or WHQL signatures, an attacker can load the malicious payload directly onto the target device without needing to install the full antivirus software suite.

360 total security antivirus 🤷‍♂️😂😂 #windows #antivirus #software #programs

What specific system permissions are at risk?

Attackers can elevate privileges from a standard user to the Windows SYSTEM level, which is the highest level of authority on the operating system.

Related Posts

Leave a Comment