A security researcher prepared a devastating Windows kernel exploit for Pwn2Own Berlin 2026 — then had to watch it go public days before the contest even started.
CVE-2026-40369 is an unprivileged arbitrary 12-byte kernel write primitive in nt!ExpGetProcessInformation, reachable from any context that can call NtQuerySystemInformation — including Chrome, Edge, and Firefox renderer sandboxes. That part that makes this stand out is that browser sandboxes (the isolation layer that's supposed to contain a compromised browser tab) are completely bypassed.
The researcher — Paolo Stagno — had originally prepared the bug for Pwn2Own Berlin. A couple of days before the contest, the CVE was assigned, and the bug went public. That timing effectively ended any competition entry, but the disclosure gave the security community something arguably more valuable: a meticulous technical breakdown of how the flaw works and exactly how far an attacker can take it.
What the Bug Actually Does
The vulnerability resides in ntoskrnl.exe, in the function ExpGetProcessInformation, and is triggered by calling NtQuerySystemInformation with information class 253 (SystemProcessInformationExtension), passing a kernel address as the output buffer and a length of zero.
The trick here is brutally simple. ProbeForWrite — the Windows kernel's own mechanism for validating that a buffer pointer is safe to write — is a complete no-op when the supplied length is zero. The entire function body is gated by if (Length), so passing Length=0 slides an unvalidated kernel pointer straight through into ExpGetProcessInformation.
Once inside, the function iterates over all running processes on the system and, for class 253, increments three DWORD values at the attacker's chosen kernel address — providing a reliable 12-byte write primitive. Critically, even though ExpGetProcessInformation detects the length mismatch and sets STATUS_INFO_LENGTH_MISMATCH, it does not return early — it stores the error and continues executing the write loop for every process before returning.
The exploit's reliability is described as 100% deterministic. And because NtQuerySystemInformation is not blocked by Chrome's win32k lockdown, restricted tokens, or untrusted integrity-level checks, the primitive is fully reachable from the renderer sandboxes of Chrome, Edge, and Firefox.
From Sandbox to SYSTEM
VoidSec's full write-up chains this primitive into a complete local privilege escalation, lifting a Medium-integrity non-administrator process all the way up to NT AUTHORITY\SYSTEM via NtCreateToken. For KASLR (kernel address space layout randomization) bypass, the exploit can be paired with the open-source prefetch-tool, meaning an attacker operating entirely from within a sandboxed browser tab could, in theory, reach full system ownership in two chained steps.
Microsoft assigned it a CVSS score of 7.8 and classified the flaw as an Elevation of Privilege vulnerability affecting Windows 11 versions 24H2 and 25H2.
The Patch Is Already Out
Microsoft's May 2026 Patch Tuesday, released on May 12, includes a fix for CVE-2026-40369. Researcher Ori Nimron (@orinimron123) has since published three tiers of working exploit code on GitHub — a basic PoC, a full exploit, and a variant with a Chrome sandbox emulator — making it accessible to both defenders testing their own environments and, inevitably, those with less benign intentions.
What You Should Do
If you manage Windows 11 24H2 or 25H2 endpoints and haven't applied the May 2026 cumulative update yet, that should move to the top of your patch queue immediately.
The combination of sandbox reachability, deterministic reliability, and publicly available exploit code means this vulnerability has crossed the threshold where "we'll get to it next cycle" is no longer a safe posture. Enterprise teams should also verify that endpoint detection rules are in place for anomalous NtQuerySystemInformation class 253 calls, which have no legitimate user-space use case.