CVE-2026-40369: Critical Windows Kernel Flaw Enables Deterministic SYSTEM Privilege Escalation from Browser Sandboxes

A critical Windows kernel vulnerability, tracked as CVE-2026-40369, has been disclosed, enabling attackers to achieve full SYSTEM-level privilege escalation even from the most restricted environments, including browser sandboxes. Discovered by security researcher Ori Nimron, the flaw affects Windows 11 versions 24H2 through 25H2 and resides in the ntoskrnl.exe component, specifically within the ExpGetProcessInformation function. The vulnerability is particularly severe because it is 100% deterministic, requiring only a single system call from an unprivileged process to manipulate kernel memory.

At the core of the issue is the NtQuerySystemInformation syscall using information class 253 (SystemProcessInformationExtension). When invoked with a buffer length of zero, the kernel's ProbeForWrite validation is completely bypassed, allowing any user-supplied pointer, including kernel addresses, to be used without checks. This results in a powerful, arbitrary kernel-memory-increment primitive. During execution, the vulnerable function iterates through all running processes and increments values at an attacker-controlled memory address, effectively modifying kernel memory in a predictable, repeatable manner.

This flaw stands out because it does not rely on traditional exploitation techniques such as race conditions, heap spraying, or token manipulation. Instead, it provides direct write access to kernel memory through a logic flaw. Because NtQuerySystemInformation is not subject to common sandbox protections such as Win32k lockdown or integrity-level checks, the vulnerability is reachable from sandboxed environments such as Chrome, Edge, and Firefox renderers, making it highly valuable for browser escape chains.

An example attack scenario begins with a compromised browser renderer process. Using this vulnerability, an attacker can increment specific kernel structures to gain further primitives, including arbitrary kernel read capabilities. By carefully corrupting internal structures such as CmpLayerVersions, attackers can redirect kernel pointers into user-controlled memory and extract sensitive kernel data. This enables bypassing protections such as Kernel Address Space Layout Randomization (KASLR) and locating critical structures, such as EPROCESS.

With kernel read access established, attackers can traverse the active process list to locate their own process token and manipulate privilege bitmasks. Incrementing specific offsets within the token structure can enable privileges such as SeDebugPrivilege. This allows opening handles to high-privilege processes like winlogon.exe and injecting malicious code, ultimately spawning a command shell running as NT AUTHORITY\SYSTEM.

The vulnerability also highlights a broader architectural weakness: Windows does not enforce Supervisor Mode Access Prevention (SMAP), allowing the kernel to access user-mode memory during exploitation safely. This behavior enables attackers to map fake structures in user space and have the kernel process them without triggering faults, significantly simplifying exploitation.

Security researcher Ori Nimron emphasized that this bug exists in a highly scrutinized syscall, demonstrating that even well-audited code paths can contain critical flaws. The vulnerability was originally developed for Pwn2Own Berlin 2026, but it was publicly disclosed after the submission was rejected due to capacity constraints. Currently, no official patch details have been confirmed, and users running affected Windows 11 builds are at risk. Organizations are advised to monitor for unusual NtQuerySystemInformation usage, apply updates as soon as they become available, and implement endpoint detection rules to identify abnormal kernel interaction patterns.