CVE-2026-40369

Name of the Vulnerable Software and Affected Versions Windows 11 24H2 Windows 11 25H2

Description An untrusted pointer dereference in the Windows Kernel allows an authorized attacker to elevate privileges locally. The issue exists within ntoskrnl.exe in the ExpGetProcessInformation() function. When using the 'NtQuerySystemInformation' endpoint with info class 253 and a length argument of zero, the ProbeForWrite guard is bypassed because it is wrapped in an if (Length) check. This allows a caller-supplied kernel address to be processed without validation, resulting in an arbitrary kernel address increment. This primitive can be reached from browser render process sandboxes, such as those in Chrome, Edge, and Firefox, potentially enabling a sandbox escape.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.