Severity
High
Analysis Summary
The newly disclosed CVE-2026-40369 represents a critical logic flaw in the Windows kernel (ntoskrnl.exe) affecting Windows 11 versions 24H2 through 25H2. Discovered by researcher, the vulnerability resides within the ExpGetProcessInformation function. It is triggered via the NtQuerySystemInformation syscall using information class 253. The flaw is exceptionally dangerous due to its 100% deterministic nature; by providing a buffer length of zero, an attacker can completely bypass ProbeForWrite validation. This allows a single syscall from an unprivileged process to treat any user-supplied pointer—including kernel addresses—as a valid target for memory manipulation.
Unlike traditional exploits that rely on unstable race conditions or complex heap spraying, this vulnerability provides a reliable arbitrary kernel-memory-increment primitive. By iterating through running processes, the kernel predictably increments values at attacker-controlled addresses. This primitive is then used to corrupt internal structures like CmpLayerVersions, enabling attackers to redirect kernel pointers into user-controlled memory. This sequence allows for arbitrary kernel reads, effectively neutralizing KASLR (Kernel Address Space Layout Randomization) and allowing the attacker to locate sensitive structures such as EPROCESS.
A defining characteristic of CVE-2026-40369 is its reachability from highly restricted environments. Because NtQuerySystemInformation is often exempt from Win32k lockdown and standard integrity checks, it serves as a "golden ticket" for browser escape chains in Chrome, Edge, and Firefox. Once kernel read/write access is established, an attacker can traverse the active process list to locate their own process token. By incrementing specific offsets within the token's privilege bitmask, they can grant themselves SeDebugPrivilege, allowing code injection into high-privilege processes like winlogon.exe to achieve full NT AUTHORITY\SYSTEM access.
The exploitation is further simplified by the lack of SMAP (Supervisor Mode Access Prevention) enforcement in Windows, which allows the kernel to safely access user-mode memory to process "fake" structures mapped by the attacker. This vulnerability, originally intended for Pwn2Own Berlin 2026, highlights that even heavily audited syscalls remain susceptible to catastrophic logic errors. As official patches are pending, organizations must prioritize monitoring for anomalous NtQuerySystemInformation patterns and implement robust endpoint detection (EDR) rules to flag unusual kernel interaction or unexpected privilege escalation attempts.
Impact
- Security Bypass
- Gain Access
Indicators of Compromise
CVE
CVE-2026-40369
Remediation
- Apply the latest Microsoft security updates for Windows 11 versions 24H2 through 25H2 immediately, as these patches specifically address the logic flaw in ntoskrnl.exe by correcting how the kernel validates buffer lengths during system calls.
- Configure EDR (Endpoint Detection and Response) rules to monitor for and block suspicious calls to NtQuerySystemInformation involving information class 253, particularly when originating from low-integrity processes like browser renderers.
- Enable Virtualization-Based Security (VBS) and Hypervisor-Protected Code Integrity (HVCI) to add an extra layer of hardware-level protection that makes kernel-mode memory manipulation significantly more difficult for attackers.
- Implement Windows Defender Application Control (WDAC) to restrict the execution of unauthorized tools or scripts that could be used to deliver an exploit payload to the target system.
- Audit process token changes by enabling advanced security auditing for "Sensitive Privilege Use," which allows security teams to detect when a process unexpectedly acquires SeDebugPrivilege or other high-level permissions.