Minecanton209

**Name of the Vulnerable Software and Affected Versions** NovumOS versions prior to 0.24 **Description** Syscall 12 ('JumpToUser') accepts an arbitrary entry point address from user-space registers without validation. This allows a Ring 3 user-mode process to jump to kernel addresses and execute arbitrary code in Ring 0 context, leading to local privilege escalation. Ring 3 refers to the least privileged user mode, while Ring 0 refers to the most privileged kernel mode. **Recommendations** Update to version 0.24. Restrict syscall access by running the system in single-user mode without Ring 3 and disable user-mode processes by only running the kernel shell with no user processes.

**Name of the Vulnerable Software and Affected Versions** NovumOS versions prior to 0.24 **Description** Syscall 15 ('MemoryMapRange') allows Ring 3 user-mode processes to map arbitrary virtual address ranges into their address space without validating against forbidden regions. This includes critical kernel structures such as the IDT (Interrupt Descriptor Table), GDT (Global Descriptor Table), TSS (Task State Segment), and page tables. A local attacker can exploit this to modify kernel interrupt handlers, resulting in privilege escalation from user mode to kernel context. **Recommendations** Update to version 0.24.