Windows Kernel Vulnerability CVE-2026-40369 Poses Threat to Windows 11 Users
A newly discovered Windows kernel vulnerability, identified as CVE-2026-40369, has raised significant concerns within the cybersecurity community. This flaw allows any unprivileged process, including those running within the confines of browser renderer sandboxes, to manipulate arbitrary kernel memory and potentially escalate privileges to SYSTEM on Windows 11 versions 24H2 and 25H2. The implications of this vulnerability are far-reaching, affecting system security and posing a risk to both individual users and organizations alike.
Detailed Overview of the Vulnerability
CVE-2026-40369 is characterized as an untrusted pointer dereference in the Windows kernel, which ultimately facilitates local privilege escalation. The root of the issue lies within the ntoskrnl.exe component, particularly in the ExpGetProcessInformation function. This function can be accessed through a single call to NtQuerySystemInformation using information class 253. When this call is executed with a zero-length buffer, it allows a caller-controlled pointer to be passed without adequate validation, setting the stage for exploitation.
The vulnerability consists of an arbitrary 12-byte kernel write or increment primitive that can be utilized from any standard user context. This flaw highlights a severe oversight in the kernel’s design, as it bypasses necessary safeguards and allows malicious actors to manipulate kernel memory.
Affected Systems and Severity Rating
The vulnerability specifically impacts Windows 11 versions 24H2 and 25H2, with reports suggesting that Windows Server 2025 could also be affected. Currently, security assessments from both vendors and third-party organizations place the severity of this flaw at a CVSS score of 7.8, categorizing it as high. This rating reflects its low complexity for potential exploitation, coupled with significant risks to confidentiality, integrity, and availability once an attacker achieves local code execution.
Exploitation Mechanics
Research indicates that multiple classes within NtQuerySystemInformation utilize the ExpGetProcessInformation helper function, including classes 5 and 253. Specifically, in class 253, the function assigns a user-supplied buffer directly to an internal pointer, pExtensionOut. As the code traverses the list of processes in the system, it usually employs ProbeForWrite to ensure a safe user-mode address. However, this essential step is bypassed if the length parameter is zero, thus exposing the system to manipulation.
In the implementation of class 253, the system updates three DWORDs at a potentially attacker-controlled address for every process—an operation that includes a generic counter and thread and handle counts. A design flaw allows for operations to continue even after detecting a “too small” buffer size. Thus, instead of rejecting the operation, the function performs the writes and only subsequently returns an error code, turning an otherwise non-fatal length mismatch into a reliable mechanism for arbitrary kernel increments.
Security experts point out that this primitive can be accessed from highly restricted contexts, such as the renderer sandboxes of major browsers like Chrome, Edge, and Firefox. Notably, Chrome’s win32k lockdown does not extend to NtQuerySystemInformation, as this syscall is a fundamental part of Windows’ NT kernel interface.
Potential for Combined Attacks
Given that the affected information class imposes no privilege checks, untrusted processes can exploit the vulnerability directly. This means that any remote code execution vulnerability present in browser renderers, such as those found in JavaScript engines, could work in tandem with CVE-2026-40369. This combination would allow cybercriminals to leap from a sandboxed environment to achieve full kernel-level access.
Public analyses emphasize that when CVE-2026-40369 is paired with a separate kernel Address Space Layout Randomization (ASLR) bypass, such as certain prefetch side-channel tools, attackers can transition from a single compromised browser tab to complete system control with a high degree of reliability.
Ongoing Research and Mitigations
Noteworthy is the work of researcher Ori Nimron, who has disclosed a comprehensive exploit package for CVE-2026-40369, including a proof-of-concept aimed at illustrating local privilege escalation specifically in the context of the Chrome sandbox environment. Discussions across social media platforms and vulnerability feeds confirm that the exploit is now publicly known and can facilitate a transition to SYSTEM-level code execution when combined with any KASLR leaks.
Microsoft has addressed this vulnerability in the May 2026 Patch Tuesday updates for Windows 11. Organizations and individual users running Windows 11 24H2 or 25H2 are strongly urged to prioritize the deployment of these patches, as no alternative configuration-based workarounds are known to effectively eliminate this risk.
In the meantime, security teams are encouraged to minimize browser exposure, keep an eye out for unusual kernel crash reports, and ensure that Endpoint Detection and Response (EDR) solutions are capable of detecting behaviors indicative of post-exploitation scenarios linked to sudden privilege elevation.
Addressing this vulnerability is crucial for maintaining the integrity of Windows systems, highlighting an urgent need for proactive security measures and vigilant monitoring in an increasingly complex digital landscape.