CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 27, 2026

Windows Kernel Vulnerability Allows Attackers to Modify Kernel Memory Counters

Cybersecurity News Archived May 27, 2026 ✓ Full text saved

A critical Windows kernel vulnerability, tracked as CVE-2026-40369, has been disclosed, enabling attackers to achieve full SYSTEM-level privilege escalation even from the most restricted environments, including browser sandboxes. Discovered by security researcher Ori Nimron, the flaw affects Windows 11 versions 24H2 through 25H2 and resides in the ntoskrnl.exe component, specifically within the ExpGetProcessInformation function. The […] The post Windows Kernel Vulnerability Allows Attackers to M

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Windows Kernel Vulnerability Allows Attackers to Modify Kernel Memory Counters By Abinaya May 27, 2026 A critical Windows kernel vulnerability, tracked as CVE-2026-40369, has been disclosed, enabling attackers to achieve full SYSTEM-level privilege escalation even from the most restricted environments, including browser sandboxes. Discovered by security researcher Ori Nimron, the flaw affects Windows 11 versions 24H2 through 25H2 and resides in the ntoskrnl.exe component, specifically within the ExpGetProcessInformation function. The vulnerability is particularly severe because it is 100% deterministic, requiring only a single system call from an unprivileged process to manipulate kernel memory. At the core of the issue is the NtQuerySystemInformation syscall using information class 253 (SystemProcessInformationExtension). Windows Kernel Vulnerability When invoked with a buffer length of zero, the kernel’s ProbeForWrite validation is completely bypassed, allowing any user-supplied pointer, including kernel addresses, to be used without checks. This results in a powerful, arbitrary kernel-memory-increment primitive. During execution, the vulnerable function iterates through all running processes. Increments values at an attacker-controlled memory address, effectively modifying kernel memory in a predictable, repeatable manner. This flaw stands out because it does not rely on traditional exploitation techniques such as race conditions, heap spraying, or token manipulation. Instead, it provides direct write access to kernel memory through a logic flaw. Because NtQuerySystemInformation is not subject to common sandbox protections such as Win32k lockdown or integrity-level checks. The vulnerability is reachable from sandboxed environments such as Chrome, Edge, and Firefox renderers, making it highly valuable for browser escape chains. An example attack scenario begins with a compromised browser renderer process. Using this vulnerability, an attacker can increment specific kernel structures to gain further primitives, including arbitrary kernel read capabilities. By carefully corrupting internal structures such as CmpLayerVersions, attackers can redirect kernel pointers into user-controlled memory and extract sensitive kernel data. This enables bypassing protections such as Kernel Address Space Layout Randomization (KASLR) and locating critical structures, such as EPROCESS. With kernel read access established, attackers can traverse the active process list to locate their own process token and manipulate privilege bitmasks. Incrementing specific offsets within the token structure can enable privileges such as SeDebugPrivilege. This allows opening handles to high-privilege processes like winlogon.exe and injecting malicious code, ultimately spawning a command shell running as NT AUTHORITY\SYSTEM. The vulnerability also highlights a broader architectural weakness: Windows does not enforce Supervisor Mode Access Prevention (SMAP), allowing the kernel to access user-mode memory during exploitation safely. This behavior enables attackers to map fake structures in user space and have the kernel process them without triggering faults, significantly simplifying exploitation. Security researcher Ori Nimron emphasized that this bug exists in a highly scrutinized syscall, demonstrating that even well-audited code paths can contain critical flaws. The vulnerability was originally developed for Pwn2Own Berlin 2026. However, it was publicly disclosed after the submission was rejected due to capacity constraints. Currently, no official patch details have been confirmed, and users running affected Windows 11 builds are at risk. Organizations are advised to monitor for unusual NtQuerySystemInformation usage, apply updates as soon as they become available, and implement endpoint detection rules to identify abnormal kernel interaction patterns. This vulnerability underscores the ongoing risks in kernel attack surfaces and the importance of continuous security auditing. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News Critical Cisco Secure Workload Vulnerability Enables Unauthorized API Access How Tier 1 Can Process Alerts 3x Faster with Threat Intelligence MiniUpdate RAT Uses Azure-Hosted C2 Domains for Targeted Espionage Campaigns Attackers Abuse Open RDP Ports to Gain Initial Access Into Business Networks CISA Warns of Drupal Core SQL Injection Vulnerability Exploited in Attacks Latest News Press Release Link11 is fully committed to Europe and is opening a Customer Excellence Hub in Lisbon Cyber Security News Seedworm APT Abuses Signed Fortemedia and SentinelOne Binaries for DLL Sideloading Uncategorized ROADtools Misused in Cloud Attacks to Steal Tokens and Bypass MFA Controls Cyber Security News Hackers Abuse Trusted Google Domains to Hide Phishing Links From Email Gateways Apple Apple’s New Anti-Snatching Feature Will Auto-Lock iPhones When Stolen From Your Hand
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 27, 2026
    Archived
    May 27, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗