• Home
  • cyber
  • Microsoft: Windows Kernel Vulnerability Allows Attackers to Modify Kernel Memory Counters
cyber Vulnerability

Microsoft: Windows Kernel Vulnerability Allows Attackers to Modify Kernel Memory Counters

Apr 1, 2026 2 min read
Microsoft: Windows Kernel Vulnerability Allows Attackers to Modify Kernel Memory Counters

Critical Windows Kernel Flaw (CVE-2026-40369) Enables SYSTEM-Level Privilege Escalation

A newly disclosed Windows kernel vulnerability, CVE-2026-40369, allows attackers to achieve full SYSTEM-level privilege escalation even from highly restricted environments like browser sandboxes. Discovered by security researcher Ori Nimron, the flaw affects Windows 11 versions 24H2 through 25H2 and resides in the ntoskrnl.exe component, specifically within the ExpGetProcessInformation function.

The vulnerability is 100% deterministic, requiring only a single system call from an unprivileged process to manipulate kernel memory. The issue stems from the NtQuerySystemInformation syscall (information class 253, SystemProcessInformationExtension), which bypasses ProbeForWrite validation when invoked with a zero-length buffer. This allows attackers to supply arbitrary kernel memory addresses, enabling an arbitrary kernel-memory-increment primitive.

Unlike traditional exploits, this flaw does not rely on race conditions, heap spraying, or token manipulation. Instead, it provides direct write access to kernel memory through a logic error, making it accessible from sandboxed environments like Chrome, Edge, and Firefox renderers a critical vector for browser escape attacks.

Exploitation & Impact

An attacker could exploit this vulnerability by:

  1. Compromising a browser renderer process and invoking the vulnerable syscall.
  2. Incrementing kernel structures to gain arbitrary read capabilities, bypassing Kernel Address Space Layout Randomization (KASLR).
  3. Corrupting internal structures (e.g., CmpLayerVersions) to redirect kernel pointers into user-controlled memory.
  4. Extracting sensitive kernel data, locating the EPROCESS structure, and modifying privilege bitmasks (e.g., enabling SeDebugPrivilege).
  5. Injecting malicious code into high-privilege processes (e.g., winlogon.exe) to spawn a SYSTEM-level command shell.

The flaw also exploits a broader architectural weakness: Windows’ lack of Supervisor Mode Access Prevention (SMAP), allowing the kernel to safely access user-mode memory during exploitation. This simplifies attacks by enabling attackers to map fake structures in user space without triggering faults.

Disclosure & Patch Status

Originally developed for Pwn2Own Berlin 2026, the vulnerability was publicly disclosed after the submission was rejected due to event capacity constraints. No official patch has been released, leaving affected Windows 11 systems exposed. Security teams are advised to monitor for unusual NtQuerySystemInformation usage and prepare for forthcoming updates.

The discovery highlights persistent risks in kernel attack surfaces, even in well-audited code paths.

Source: https://cybersecuritynews.com/windows-kernel-vulnerability/

Microsoft Security Response Center cybersecurity rating report: https://www.rankiteo.com/company/microsoft-security-response-center

"id": "MIC1779899267",
"linkid": "microsoft-security-response-center",
"type": "Vulnerability",
"date": "4/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'industry': 'Technology',
                        'location': 'Global',
                        'name': 'Microsoft Windows',
                        'type': 'Operating System'}],
 'attack_vector': 'Local',
 'data_breach': {'sensitivity_of_data': 'Kernel memory, sensitive system data'},
 'description': 'A newly disclosed Windows kernel vulnerability, '
                'CVE-2026-40369, allows attackers to achieve full SYSTEM-level '
                'privilege escalation even from highly restricted environments '
                'like browser sandboxes. The flaw affects Windows 11 versions '
                '24H2 through 25H2 and resides in the ntoskrnl.exe component, '
                'specifically within the ExpGetProcessInformation function. '
                'The vulnerability is 100% deterministic, requiring only a '
                'single system call from an unprivileged process to manipulate '
                'kernel memory.',
 'impact': {'identity_theft_risk': 'High',
            'operational_impact': 'Full SYSTEM-level privilege escalation',
            'systems_affected': 'Windows 11 versions 24H2 through 25H2'},
 'lessons_learned': 'Highlights persistent risks in kernel attack surfaces, '
                    'even in well-audited code paths.',
 'post_incident_analysis': {'root_causes': 'Logic error in '
                                           'ExpGetProcessInformation function, '
                                           'lack of ProbeForWrite validation, '
                                           'and absence of Supervisor Mode '
                                           'Access Prevention (SMAP).'},
 'recommendations': 'Monitor for unusual NtQuerySystemInformation usage and '
                    'prepare for forthcoming updates.',
 'references': [{'source': 'Security Researcher Ori Nimron'},
                {'source': 'Pwn2Own Berlin 2026'}],
 'response': {'enhanced_monitoring': 'Monitor for unusual '
                                     'NtQuerySystemInformation usage'},
 'title': 'Critical Windows Kernel Flaw (CVE-2026-40369) Enables SYSTEM-Level '
          'Privilege Escalation',
 'type': 'Privilege Escalation',
 'vulnerability_exploited': 'CVE-2026-40369'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.