CVE-2026-40369-EXPLOIT: A Minimalist Kernel Write Primitive for Browser Sandbox Escape

Kernel vulnerabilities that cross process boundaries represent some of the most valuable attack primitives in modern exploitation. While many CVEs focus on initial code execution or information disclosure, CVE-2026-40369 occupies a more specialized niche: it provides a clean, deterministic arbitrary kernel write capability that works from within browser sandboxes. The associated exploit code in CVE-2026-40369-EXPLOIT demonstrates how this particular flaw can be weaponized with minimal complexity.

What Makes This Exploit Different

Most kernel exploit demonstrations include extensive scaffolding for privilege escalation, token stealing, or KASLR bypass. This project takes a more surgical approach by focusing on a single primitive: controlled kernel memory increment. The vulnerability exists in ExpGetProcessInformation, a function called by NtQuerySystemInformation for specific information classes. What makes this particularly dangerous is that class 253 (SystemProcessInformationExtension) fails to validate the output buffer pointer when the length parameter is zero—a condition that completely bypasses the ProbeForWrite validation.

The exploit's reliability stems from its deterministic nature. Rather than attempting to spray memory or rely on timing-based allocations, it leverages the system's actual process enumeration to calculate precise memory modifications. For each process on the system, the kernel attempts to increment three 32-bit values at attacker-controlled addresses: the process count, total thread count, and total handle count. This creates a predictable write primitive that doesn't require heap grooming or race conditions.

Crucially, the project demonstrates that this attack works from within browser sandboxes. Traditional exploit mitigations often block specific system calls or restrict token privileges, but NtQuerySystemInformation remains accessible. This means Chrome, Edge, and Firefox renderers are all potentially vulnerable to follow-up attacks that chain this primitive with other exploits.

The Trade-offs

The exploit's simplicity comes with notable limitations. It provides only an increment operation—not arbitrary write—and targets a very specific Windows version range (11 24H2-25H2). The author notes 100% reliability within this scope, but the attack surface is narrow. There's also no built-in KASLR bypass, though the README suggests chaining with external tools like the prefetch-based KASLR defeat mentioned in the documentation.

From a defensive perspective, the vulnerability reveals a concerning pattern: error handling paths that continue execution after detecting invalid parameters. The code sets an error status but proceeds with the sensitive memory operations, essentially turning validation failures into exploitable conditions.

What It Ships With

The repository delivers a complete demonstration focused on its core capability:

  • Minimal C11 proof-of-concept: A self-contained reproducer requiring only Windows headers and linker access
  • Deterministic kernel write: Increment operations across process, thread, and handle counters
  • Sandbox escape verification: Demonstration that NtQuerySystemInformation bypasses Chrome's win32k lockdown
  • Crash analysis: Detailed bug check information showing the exact instruction that faults

If You Want to Try It

The exploit is implemented in C++ and requires Windows development environments capable of kernel-mode debugging for full analysis. Building needs standard Windows SDK headers and x64 compilation targeting Windows 11 24H2 or later. The README contains detailed crash dumps and reproduction steps that provide sufficient context for understanding the vulnerability mechanics without additional setup complexity.

Context and Availability

This exploit occupies an interesting position in the Windows security ecosystem. It's not a full-spectrum privilege escalation tool, but rather a targeted primitive that fits into broader attack chains. For researchers studying sandbox escape techniques or developing detection mechanisms, it represents a clean case study in how seemingly minor validation oversights can become critical attack vectors. The source is on GitHub.