Windows Kernel Elevation of Privilege via Untrusted Pointer Dereference

This repository contains a Windows local privilege escalation exploit for CVE-2026-40369, centered on NtQuerySystemInformation class 253 (SystemProcessInformationExtension). The bug is described as a ProbeForWrite bypass when SystemInformationLength is 0, allowing an attacker-supplied kernel pointer to reach ntoskrnl!ExpGetProcessInformation and be dereferenced/written during process enumeration. The primitive increments/adds three DWORDs at an arbitrary kernel address: process count at addr+0, total thread count at addr+4, and total handle count at addr+8. Repository structure: (1) README.md documents the vulnerability, crash details, affected Windows versions, and exploitability claims; (2) basic_poc/basic_poc.cpp is a minimal reproducer that dynamically resolves NtQuerySystemInformation from ntdll.dll and passes a hardcoded kernel address 0xffff800041424344 with length 0 to demonstrate the write primitive / BSOD behavior; (3) full_poc/full_poc.cpp is the main exploit chain, substantially more advanced than the basic PoC; and (4) full_poc_with_chrome_sandbox_emulator/ contains a near-identical full exploit plus sandbox.c, a Chrome renderer sandbox emulator used to show the exploit remains reachable from a restricted browser sandbox context. The full exploit appears operational rather than a simple crash PoC. From the visible code, it uses NtQuerySystemInformationEx with SystemBuildVersionInformation (222) and crafted structures to build a confusion/read primitive around CmpLayerVersions/CmpLayerVersionCount-related kernel data. It repeatedly calls a write_at() helper against kernel addresses derived from ntos_base and specific RVAs, searches for a confusion address, locates the current EPROCESS, reads the EPROCESS token, masks the EX_FAST_REF low bits, and then repeatedly increments token privilege-related offsets (token+0x42 and token+0x42+12). It then attempts InjectToWinlogon(), indicating the intended end state is elevated execution in a privileged process after enabling SeDebugPrivilege or equivalent token rights. The sandbox.c component is not an exploit itself but a realistic harness that recreates Chrome’s Windows renderer sandbox token model: lockdown and initial tokens, low/untrusted integrity, deny-only SIDs, restricting SIDs, privilege stripping, and various verification tests. Its purpose is to validate the exploit’s claim that the vulnerable syscall path is reachable even from a browser sandbox. No external network communication, C2, or remote endpoints are present. The exploit is entirely local and Windows-specific, relying on direct native API/syscall access and kernel structure manipulation. The most fingerprintable observables are the use of ntdll!NtQuerySystemInformation / NtQuerySystemInformationEx, the hardcoded example kernel address in the basic PoC, references to kernel offsets such as CmpLayerVersionCount and EPROCESS_Token, and the post-exploitation target winlogon.