When Zero Bytes Trigger Kernel Writes: The Logic Flaw Behind Windows Privilege Escalation

A significant vulnerability in the Windows kernel, identified as CVE-2026-40369, has been uncovered, providing a direct pathway for unprivileged processes to achieve full SYSTEM-level privileges. This flaw is particularly dangerous because it can be triggered from within highly restricted environments, such as a browser renderer sandbox, making it a prime candidate for exploit chaining.

The vulnerability resides within ntoskrnl.exe, specifically inside the ExpGetProcessInformation helper function. The entry point for an attacker is a single call to the NtQuerySystemInformation system call using information class 253 (SystemProcessInformationExtension).

Technical Root Cause: The Logic Flaw in ExpGetProcessInformation

At its core, CVE-2026-40369 is an untrusted pointer dereference that manifests as a precise, arbitrary 12-byte kernel memory increment. The issue stems from how the kernel handles buffer length validation when processing information class 253.

When a caller invokes NtQuerySystemInformation with class 253, the kernel attempts to populate a buffer with process extension data. The function assigns the user-supplied buffer address directly to an internal pointer, pExtensionOut. Under normal operating conditions, the kernel invokes ProbeForWrite to verify that this pointer resides within a valid user-mode memory range, preventing the kernel from writing to sensitive system memory.

However, a critical logic error exists: if the supplied buffer length is set to zero, the ProbeForWrite guard is entirely bypassed.

The execution flow proceeds as follows:

  1. The kernel enters a loop to iterate through every active process on the system.
  2. For every process encountered, the kernel performs three 4-byte (DWORD) increments at the address pointed to by pExtensionOut: a generic counter, the accumulated active thread count, and the accumulated handle count.
  3. After the loop completes and the writes have already occurred, the kernel finally checks the buffer size. Finding it to be zero, it returns the error code STATUS_INFO_LENGTH_MISMATCH.

Because the function fails to return early upon discovering the length mismatch, the “error” state actually serves as the trigger for the write primitive. The attacker provides a target kernel address and a length of zero, causing the kernel to perform the increments before reporting the failure.

Exploitation and Sandbox Escapes

What makes this vulnerability particularly potent is its accessibility. Most kernel exploits require bypassing complex “win32k” restrictions or gaining specific privileges. However, because NtQuerySystemInformation is a core NT system call rather than a GUI-related win32k.sys call, it remains accessible even within the highly sandboxed environments of modern browsers like Chrome, Edge, or Firefox.

An attacker who achieves even limited code execution via a JavaScript engine vulnerability can jump from a sandboxed renderer process directly to the kernel. When paired with a KASLR (Kernel Address Space Layout Randomization) bypass—such as side-channel leaks—this increment primitive can be used to manipulate kernel structures with deterministic reliability, leading to a complete system takeover.

Security researcher Ori Nimron has demonstrated the viability of this attack by publishing a full exploit package. This includes a proof-of-concept that models the specific constraints of a Chrome sandbox environment, proving that the transition from “sandboxed” to “SYSTEM” is highly achievable.

Affected Systems and Remediation

The vulnerability impacts Windows 11 versions 24H2 and 25H2, and initial reports suggest that Windows Server 2025 may also be vulnerable. Current CVSS scoring places this flaw at approximately 7.8 (High), reflecting the low complexity required to execute the attack once local code execution is achieved.

Mitigation Steps:

  • Apply Security Updates: Microsoft addressed this vulnerability in the May 2026 Patch Tuesday cumulative updates. This is the only definitive fix.
  • Prioritize Deployment: Because there are no known configuration-based workarounds that effectively hide the NtQuerySystemInformation surface, immediate patching of Windows 11 endpoints is critical.
  • Enhanced Monitoring: Security teams should monitor for anomalous kernel-mode activity and use EDR (Endpoint Detection and Response) tools to flag unusual privilege escalations or unexpected system crashes that may indicate exploitation attempts.

Related Articles

Back to top button