A critical Windows kernel flaw, tracked as CVE-2026-40369, gives any unprivileged process the ability to increment arbitrary kernel memory repeatedly, and that capability can be turned into a reliable SYSTEM privilege escalation on Windows 11 24H2 and 25H2.
The bug resides in ntoskrnl.exe inside the helper ExpGetProcessInformation. It becomes reachable from user mode via a single NtQuerySystemInformation call using information class 253 (SystemProcessInformationExtension).
When invoked with this class, the kernel accepts a caller-supplied pointer and, under certain conditions, writes into that pointer without proper validation.
If the user-supplied buffer length is zero, the normal ProbeForWrite safety check is skipped. ExpGetProcessInformation assigns the caller pointer directly to an internal pointer (pExtensionOut) and then iterates through every process on the system.
For each process, the code increments three DWORD values at the attacker-controlled address: a generic counter, the total active thread count, and the total handle count.
Although the function detects that the buffer is too small and ultimately returns STATUS_INFO_LENGTH_MISMATCH, it completes all the increment writes before returning.
That combination turns a non‑fatal length mismatch into a deterministic, arbitrary 12‑byte kernel increment primitive usable from any standard user context.
This primitive is accessible from highly restricted runtimes, including browser renderer sandboxes (Chrome, Edge, Firefox). Because NtQuerySystemInformation is a core NT syscall, win32k lockdowns do not mitigate this path.
The affected info class performs no privilege checks, token restrictions, or integrity‑level gating, so low‑integrity or untrusted processes can trigger the kernel writes directly.
Public analyses and proof‑of‑concept code show how the increment primitive combines with a kernel ASLR (KASLR) bypass, for example, a prefetch side‑channel leak to produce a fully deterministic chain from a compromised renderer tab to SYSTEM.
Vendors and third‑party scorers place the flaw around CVSS 7.8 (high), reflecting low exploit complexity and severe impact on confidentiality, integrity, and availability once local code execution exists.
Researcher Ori Nimron has published a full exploit package and variants that model the Chrome sandbox. Reportedly, Windows 11 24H2 and 25H2 are affected; some advisories indicate Windows Server 2025 may also be impacted. Microsoft fixed CVE-2026-40369 in the May 2026 cumulative updates for Windows 11.
Administrators should prioritize applying those patches promptly because no configuration change fully removes the vulnerable code path.
Mitigation
- Deploy the May 2026 Windows cumulative updates for Windows 11 24H2/25H2 immediately.
- Reduce browser attack surface: limit untrusted content, disable or harden scripting where possible.
- Monitor endpoints for anomalous kernel crashes and sudden privilege escalations.
- Ensure EDR and telemetry are tuned to detect post‑exploitation behaviors that follow local privilege escalation.
No Comment! Be the first one.