PT-2026-40204 · Microsoft · Windows Kernel+1

Published

2026-05-12

·

Updated

2026-06-26

·

CVE-2026-40369

CVSS v3.1

7.8

High

VectorAV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Windows 11 versions 24H2 through 25H2
Description A heap-based buffer overflow and untrusted pointer dereference in the Windows Kernel (ntoskrnl.exe) allows an authorized attacker to elevate privileges locally to SYSTEM level. The issue exists within the ExpGetProcessInformation() function. When the NtQuerySystemInformation API endpoint is called with information class 253 and a Length variable set to zero, the ProbeForWrite guard is bypassed because it is wrapped in an if (Length) check. This allows a 12-byte arbitrary kernel write primitive where the kernel increments memory addresses at an attacker-controlled location. This flaw is particularly significant as it can be triggered from unprivileged processes, including browser renderer sandboxes (such as Chrome, Edge, and Firefox), because Win32k lockdown does not block this specific system call.
Recommendations Update Windows 11 versions 24H2 through 25H2 to the versions released in the May 12 Patch Tuesday update.

Exploit

Fix

RCE

LPE

Untrusted Pointer Dereference

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BDU:2026-06638
CVE-2026-40369

Affected Products

Windows
Windows Kernel