Critical Windows Kernel Vulnerability Enables SYSTEM Privilege Escalation
Severity: High (Score: 69.0)
Sources: Gbhackers, Cybersecuritynews
Published: · Updated:
Keywords: kernel, windows, vulnerability, attackers, memory, allows, modify
Severity indicators: vulnerability
Summary
A critical vulnerability in the Windows kernel, identified as CVE-2026-40369, has been disclosed, allowing unprivileged processes to escalate privileges to SYSTEM level. This flaw affects Windows 11 versions 24H2 through 25H2 and resides in the ntoskrnl.exe component, specifically within the ExpGetProcessInformation function. Attackers can exploit this vulnerability from restricted environments, such as browser sandboxes, using a single NtQuerySystemInformation call. The vulnerability was published on May 12, 2026, with a proof of concept (PoC) made public shortly after on May 14, 2026. Security researchers have emphasized the potential for widespread exploitation given the ease of access to the attack vector. Organizations using affected Windows versions are urged to apply security updates as soon as they are available. Key Points: • CVE-2026-40369 allows unprivileged processes to escalate to SYSTEM privileges. • The vulnerability affects Windows 11 versions 24H2 through 25H2. • Exploitation can occur from browser sandboxes using a single API call.
Detailed Analysis
**Impact** The vulnerability affects Windows 11 versions 24H2 through 25H2, potentially impacting all users running these OS versions globally. Any unprivileged process, including sandboxed browser renderers, can exploit this flaw to escalate privileges to SYSTEM level. This enables attackers to gain full control over affected systems, risking unauthorized access to sensitive data and disruption of business operations across all sectors using these Windows versions. **Technical Details** CVE-2026-40369 is an untrusted pointer dereference vulnerability located in the ntoskrnl.exe module, specifically within the ExpGetProcessInformation function. The exploit is triggered via a single NtQuerySystemInformation call with information class 253, allowing modification of arbitrary kernel memory counters. No specific malware or tools have been reported in conjunction with this exploit. The vulnerability enables privilege escalation at the post-exploitation stage of the kill chain. **Recommended Response** Apply the official Microsoft patch addressing CVE-2026-40369 immediately on all affected Windows 11 systems. Deploy detections monitoring unusual NtQuerySystemInformation calls with information class 253 and anomalous kernel memory counter modifications. Harden configurations to restrict unprivileged processes from invoking kernel queries where possible. Monitor for indicators of exploitation, though no specific IOCs have been publicly disclosed.
Source articles (2)
- Windows Kernel Vulnerability Lets Attackers Modify Kernel Memory Counters — Gbhackers · 2026-05-27
A critical Windows kernel vulnerability, CVE-2026-40369, allows any unprivileged process, including a browser renderer sandbox, to increment arbitrary kernel memory and reliably escalate to SYSTEM on… - Windows Kernel Vulnerability Allows Attackers to Modify Kernel Memory Counters — Cybersecuritynews · 2026-05-27
A critical Windows kernel vulnerability, tracked as CVE-2026-40369, has been disclosed, enabling attackers to achieve full SYSTEM-level privilege escalation even from the most restricted environments,…
Timeline
- 2026-05-12 — CVE-2026-40369 published: A critical Windows kernel vulnerability was officially disclosed, affecting Windows 11.
- 2026-05-14 — First public PoC released: A proof of concept for the vulnerability was made public, increasing the risk of exploitation.
- 2026-05-27 — Vulnerability reported in news articles: Multiple cybersecurity outlets reported on the critical nature of CVE-2026-40369, highlighting its impact.
CVEs
Related entities
- Zero-day Exploit (Attack Type)
- Windows (Platform)