CVE-2026-40369 is a Windows Kernel elevation-of-privilege vulnerability in ntoskrnl.exe, specifically in the nt!ExpGetProcessInformation code path reachable via NtQuerySystemInformation using SystemProcessInformationExtension (information class 253). According to the provided technical reporting, when NtQuerySystemInformation is invoked with a caller-controlled output pointer and a buffer length of 0, the ProbeForWrite validation becomes ineffective, allowing an attacker-controlled pointer to be passed into ExpGetProcessInformation without adequate safety checks. The vulnerable routine reportedly sets STATUS_INFO_LENGTH_MISMATCH for the short buffer condition but continues processing instead of returning, and then dereferences and updates the supplied pointer. The resulting primitive is described as a deterministic arbitrary kernel-address increment/write affecting three DWORDs: the first is incremented per process, the second accumulates thread counts, and the third accumulates handle counts across the system. Microsoft classifies the issue as an untrusted pointer dereference in the Windows Kernel allowing local privilege escalation by an authorized attacker.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
3 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (2 hidden).
This repository is a small Windows local privilege escalation exploit project written in C++. It contains one main entry point (exp.cpp), a large helper implementation file (exp_tools.cpp), and a header (exp_tools.h). The README states that the ntoskrnl kernel base must be set manually, which matches the code path where the operator is prompted to enter the kernel base address. The exploit’s purpose is to elevate the current process to SYSTEM by abusing a vulnerable kernel code path involving NtQuerySystemInformation with the SystemHandleCountInformation class. The main program resolves NtQuerySystemInformation from ntdll.dll, detects the OS version, asks the user for the ntoskrnl kernel base, loads C:\Windows\System32\ntoskrnl.exe in user mode, derives the offset of SeDebugPrivilege and the EPROCESS token field, and then repeatedly calls SpwanCmdSystem() followed by NtQuerySystemInformation with a crafted pointer argument of SeDebugPrivilegeAddr - 1. This strongly suggests an arbitrary or near-arbitrary kernel write primitive intended to flip the kernel SeDebugPrivilege state and/or facilitate token manipulation. The helper code supports exploit setup and post-exploitation: enumerating processes, resolving kernel object pointers from handles via SystemExtendedHandleInformation, enumerating kernel modules via SystemModuleInformation, loading ntoskrnl.exe to pattern-scan for offsets, reading OS build/revision information, and spawning cmd.exe. The header defines many Windows-version-specific offsets for _EPROCESS token fields and PAGEDATA/SeDebugPrivilege locations, indicating the exploit is highly version-sensitive and designed for multiple Windows/Windows Server releases. There are no network callbacks or remote endpoints. The attack vector is purely local. The main fingerprintable artifacts are hardcoded Windows paths (cmd.exe and ntoskrnl.exe), use of ntdll.dll, and the specific native APIs/information classes used for kernel interaction. Overall, this is an operational local Windows kernel LPE exploit/privilege-manipulation tool rather than a scanner or detection script.
This repository contains a local Windows kernel privilege-escalation exploit for CVE-2026-40369, plus a basic primitive demonstrator and a Chrome renderer sandbox emulator. The repository has 5 files total: 4 code files and 1 README. Languages are C/C++ and Markdown. Structure: - `CVE-2026-40369/Basic_PoC/Basic-CVE-2026-40369.cpp`: minimal proof-of-concept showing the core bug. It dynamically resolves `NtQuerySystemInformation` from `ntdll.dll`, uses system information class 253 (`SystemProcessInformationExtension`), and passes a kernel pointer as the output buffer with length 0 to bypass `ProbeForWrite`. The stated effect is arbitrary kernel DWORD increments/additions at `[target+0]`, `[target+4]`, and `[target+8]`. This is a primitive demonstrator and may bugcheck the host if the address is invalid. - `CVE-2026-40369/Full_PoC/Full-CVE-2026-40369.cpp`: full exploit implementation. It resolves `NtQuerySystemInformationEx`, uses `SystemBuildVersionInformation` class 222, crafts fake version/query structures, manipulates kernel globals such as `CmpLayerVersionCount`, and appears to build a type-confusion-assisted kernel read/write workflow. The exploit then locates the current `EPROCESS`, reads the token via `EPROCESS_Token`, repeatedly increments token privilege-related fields, enables `SeDebug`, and attempts `InjectToWinlogon()` to obtain SYSTEM execution. - `CVE-2026-40369/full_poc_with_chrome_sandbox_emulator/Full-CVE-2026-40369.cpp`: essentially the same full exploit, compiled with `EMULATE_RENDERER_SANDBOX` for use with the included sandbox emulator. - `CVE-2026-40369/full_poc_with_chrome_sandbox_emulator/sandbox.c`: a substantial Chrome renderer sandbox emulator that recreates Chrome token restrictions, integrity lowering, job object behavior, and sandbox launch flow. It can launch a child with `--sandboxed`, run verification tests, then call the exploit (`exp()`) from a constrained context. - `README.md`: descriptive documentation, affected versions, impact, and defensive notes. Main exploit capabilities: 1. Trigger a vulnerable kernel path through native Windows syscalls. 2. Obtain an arbitrary kernel increment/write primitive. 3. Abuse build-version query structures to gain kernel memory disclosure / confusion primitives. 4. Discover kernel object addresses including the current process `EPROCESS`. 5. Read and manipulate token fields in kernel memory. 6. Enable elevated privileges such as SeDebugPrivilege. 7. Inject into `winlogon` to transition to SYSTEM-level execution. 8. Demonstrate exploitability even from a Chrome-like renderer sandbox using the emulator variant. There are no external network callbacks, C2 URLs, or remote endpoints in the provided code. The attack vector is strictly local. The code is a real exploit rather than a detector: it contains concrete syscall abuse, kernel structure manipulation, privilege modification, and process injection logic. Because the payload and post-exploitation steps are embedded and operational but appear somewhat hardcoded to specific offsets/build assumptions, the maturity is best classified as OPERATIONAL.
This repository contains a Windows local privilege escalation exploit for CVE-2026-40369, centered on NtQuerySystemInformation class 253 (SystemProcessInformationExtension). The bug is described as a ProbeForWrite bypass when SystemInformationLength is 0, allowing an attacker-supplied kernel pointer to reach ntoskrnl!ExpGetProcessInformation and be dereferenced/written during process enumeration. The primitive increments/adds three DWORDs at an arbitrary kernel address: process count at addr+0, total thread count at addr+4, and total handle count at addr+8. Repository structure: (1) README.md documents the vulnerability, crash details, affected Windows versions, and exploitability claims; (2) basic_poc/basic_poc.cpp is a minimal reproducer that dynamically resolves NtQuerySystemInformation from ntdll.dll and passes a hardcoded kernel address 0xffff800041424344 with length 0 to demonstrate the write primitive / BSOD behavior; (3) full_poc/full_poc.cpp is the main exploit chain, substantially more advanced than the basic PoC; and (4) full_poc_with_chrome_sandbox_emulator/ contains a near-identical full exploit plus sandbox.c, a Chrome renderer sandbox emulator used to show the exploit remains reachable from a restricted browser sandbox context. The full exploit appears operational rather than a simple crash PoC. From the visible code, it uses NtQuerySystemInformationEx with SystemBuildVersionInformation (222) and crafted structures to build a confusion/read primitive around CmpLayerVersions/CmpLayerVersionCount-related kernel data. It repeatedly calls a write_at() helper against kernel addresses derived from ntos_base and specific RVAs, searches for a confusion address, locates the current EPROCESS, reads the EPROCESS token, masks the EX_FAST_REF low bits, and then repeatedly increments token privilege-related offsets (token+0x42 and token+0x42+12). It then attempts InjectToWinlogon(), indicating the intended end state is elevated execution in a privileged process after enabling SeDebugPrivilege or equivalent token rights. The sandbox.c component is not an exploit itself but a realistic harness that recreates Chrome’s Windows renderer sandbox token model: lockdown and initial tokens, low/untrusted integrity, deny-only SIDs, restricting SIDs, privilege stripping, and various verification tests. Its purpose is to validate the exploit’s claim that the vulnerable syscall path is reachable even from a browser sandbox. No external network communication, C2, or remote endpoints are present. The exploit is entirely local and Windows-specific, relying on direct native API/syscall access and kernel structure manipulation. The most fingerprintable observables are the use of ntdll!NtQuerySystemInformation / NtQuerySystemInformationEx, the hardcoded example kernel address in the basic PoC, references to kernel offsets such as CmpLayerVersionCount and EPROCESS_Token, and the post-exploitation target winlogon.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
70 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An elevation of privilege vulnerability in the Windows Kernel.
A critical Windows kernel privilege escalation vulnerability in ntoskrnl.exe (ExpGetProcessInformation) that can allow unprivileged attackers, including from browser sandboxes, to gain SYSTEM privileges via a deterministic kernel memory manipulation primitive.
A Windows kernel elevation-of-privilege vulnerability caused by an untrusted pointer dereference in nt!ExpGetProcessInformation when NtQuerySystemInformation is called with a zero-length request, enabling arbitrary kernel memory writes, local privilege escalation, and browser sandbox escape.
A specific vulnerability identified as CVE-2026-40369, described in the content as related to escaping the browser sandbox.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.