Microsoft patched a critical Windows kernel elevation-of-privilege flaw, CVE-2026-40369, affecting Windows 11 versions 24H2 through 25H2 after public disclosure of technical details and proof-of-concept exploit code. The bug resides in ntoskrnl.exe, specifically nt!ExpGetProcessInformation, and can be triggered via NtQuerySystemInformation, including a zero-length request tied to information class 253, causing an untrusted pointer dereference and unsafe kernel memory writes from an unprivileged process.
Researchers said the vulnerability enables deterministic kernel memory modification, allowing attackers to build kernel read primitives, bypass KASLR, locate structures such as EPROCESS, alter token privileges, and ultimately obtain NT AUTHORITY\SYSTEM execution. Because the flaw is reachable from Chrome, Edge, and Firefox renderer sandboxes, it is considered especially dangerous for browser escape chains; defenders were urged to prioritize patching and watch for unusual NtQuerySystemInformation activity and anomalous kernel interaction patterns.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
Microsoft addressed the Windows kernel elevation-of-privilege vulnerability CVE-2026-40369 in its May Patch Tuesday security updates. The flaw affects Windows 11 versions 24H2 through 25H2 and resides in nt!ExpGetProcessInformation.
Researcher Ori Nimron publicly disclosed technical details for CVE-2026-40369, including that it can be triggered via NtQuerySystemInformation and abused for kernel memory modification and privilege escalation. Public proof-of-concept exploit code was also released, highlighting potential use in browser sandbox escape chains affecting Chrome, Edge, and Firefox.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
cybersecuritynews.com
Open sourcesecurityonline.info
Open sourcegithub.com
Open sourcepwn2nimron.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.