12‑Byte Syscall in Browser Sandbox Grants SYSTEM on Windows (CVE‑2026‑40369 PoC)

Vulnerability Overview

CVE‑2026‑40369 (CVSS 7.8, high severity, marked "more likely to be exploited") is a logic flaw in ntoskrnl.exe within the ExpGetProcessInformation function. When a caller invokes NtQuerySystemInformation with information class 253 ( SystemProcessInformationExtension) and supplies a buffer length of zero, the kernel’s ProbeForWrite validation is completely bypassed because the if (Length) guard is skipped, so no address range check occurs.

This permits an attacker to specify any kernel virtual address as the write target. The renderer sandbox of browsers such as Chrome allows the syscall without Win32k lockdown or integrity‑level restrictions, effectively nullifying the sandbox for this operation.

Technical Details: 12‑Byte Primitive

Core Primitive – Arbitrary Kernel DWORD Increment

A single call NtQuerySystemInformation(253, kernelAddr, 0, &needed) causes the kernel to perform three consecutive DWORD writes at the attacker‑controlled address:

// ExpGetProcessInformation, information class 253 path
unsigned int *v99 = (unsigned int *)a1; // use user‑provided pointer directly
++*v99;               // [target+0] += total number of processes
v99[1] += threadCnt; // [target+4] += total thread count
v99[2] += handleCnt; // [target+8] += total handle count

The target address need not be 4‑byte aligned, and the three writes can span adjacent structure fields. The increment values depend on system state (process, thread, and handle counts). Repeated triggering creates a random‑walk effect that can gradually push specific bits of a kernel structure toward attacker‑desired values.

Why Multi‑Layer Defenses Fail

ProbeForWrite : Returns immediately when length is zero, skipping address‑range validation.

SeAccessCheck : Checks access rights but does not block the write itself.

Length check : The function sets STATUS_INFO_LENGTH_MISMATCH but continues execution instead of returning.

SMAP (Supervisor Mode Access Prevention): Not forced on Windows, allowing the kernel to access user‑mode memory.

HVCI/KPP (Hypervisor‑protected Code Integrity / Kernel Patch Protection): Protects code pages and selected structures, but most writable kernel data remain unprotected.

The flaw is an architectural defect in the information‑class‑253 path: the entire trust chain collapses when Length = 0.

Exploitation Path: From Primitive to SYSTEM Shell

The full exploit chain consists of five stages.

Stage 1 – KASLR Bypass

Obtain the kernel base address to enable subsequent address calculations.

Stage 2 – Disable Feature_RestrictKernelAddressLeaks Gate

Write a specific value to a Windows Implementation Library (WIL) feature‑state cache address to turn off the gate that zeroes out certain information classes (e.g., class 64). The original cache value is 0x57. The condition (0x57 + N) & 0x11 == 0x10 must hold; the smallest N ≥ 185. Repeated triggering of the vulnerability with short‑lived subprocesses eventually clears the gate.

Stage 3 – Leak _TOKEN Kernel Address

After the gate is cleared, calling SystemExtendedHandleInformation (class 64) returns the system handle table, allowing the attacker to locate the current process’s _TOKEN kernel virtual address.

Stage 4 – Privilege Bit Escalation

The researcher targets SeCreateTokenPrivilege (instead of the traditional SeDebugPrivilege). By repeatedly invoking the primitive and reading TokenPrivileges, the attacker decodes the privilege bit fields and incrementally pushes critical privileges such as SeCreateTokenPrivilege, SeTcbPrivilege, and SeImpersonatePrivilege to the enabled state. Each inc/add may cause carry propagation, making the exact effect of a single write unpredictable, but enough attempts eventually set the target bits.

Stage 5 – Generate SYSTEM Shell

With the required privileges, the attacker calls NtCreateToken to forge a SYSTEM primary token, then uses CreateProcessWithTokenW to launch cmd.exe. The resulting shell runs as NT AUTHORITY\SYSTEM. The chain is fully deterministic (100 % reliable) and requires no race conditions or heap spraying.

Impact Scope

Windows 11 24H2 build 26100.1742 and earlier – Not affected

Windows 11 25H2 build 26100.5074 ~ 26100.8328 – Affected

Windows Server 2025 build 26100.32690 – Affected

Microsoft released a patch on 12 May 2026 (KB5089593 and related updates). Enterprise patch deployment often lags weeks or months, leaving many Chinese government and enterprise endpoints vulnerable.

Detection and Mitigation

Endpoint Detection

Sysmon Event 10 (ProcessAccess): Low‑privilege process accesses a high‑privilege process via NtQuerySystemInformation.

Sysmon Events 13/14 (Registry): Abnormal modification of kernel‑mode feature cache.

High‑frequency calls to NtQuerySystemInformation that return a length of 12 (correlates with process count changes).

Mitigation Measures

Patch immediately : Deploy Microsoft’s May 2026 patch (KB5089593).

Restrict browser renderer privileges : Enable Hardware‑enforced Stack Protection in Chrome or configure Windows Defender Application Guard for Edge.

Enable HVCI (Hypervisor‑protected Code Integrity): Increases exploitation difficulty, though it does not fully block the flaw.

Monitor abnormal kernel writes : Deploy EDR rules to detect unexpected kernel‑memory writes.

Apply principle of least privilege : Avoid running non‑browser applications with High Integrity Level to reduce lateral‑movement paths.

Conclusion

The vulnerability shows that a sandbox is not a true security boundary; it merely adds friction. A 12‑byte kernel write primitive, ignored by all defense layers, combined with a 100 % reliable exploitation chain, enables any attacker with browser code‑execution capability to obtain SYSTEM privileges within minutes. Rapid patch deployment is the decisive factor for affected enterprises.