CVE-2026-40369

HIGH

Microsoft Windows 11 Version 24H2 - Windows Kernel Elevation of Privilege Vulnerability

Title source: rule

Exploitation Summary

EIP tracks 6 public exploits for CVE-2026-40369. PoCs published by Hex0rc1st, piffd0s, ercihan.

AI-analyzed exploit summary This repository provides an IDA Python script to extract critical kernel metadata (function RVAs and _EPROCESS structure offsets) from Windows ntoskrnl.exe binaries, aiding in the development of exploits for CVE-2026-40369. It includes detailed technical documentation and usage instructions.

Description

Untrusted pointer dereference in Windows Kernel allows an authorized attacker to elevate privileges locally.

Exploits (6)

github NO CODE 2 stars

by Hex0rc1st · pythonpoc

https://github.com/Hex0rc1st/CVE_POC_monitor/tree/main/article/uploads/demo_1779108347/【已复现】Windows 内核权限提升漏洞(CVE-2026-40369)安全风险通告

View Code ZIP pw:eip

github NO CODE 2 stars

by Hex0rc1st · pythonpoc

https://github.com/Hex0rc1st/CVE_POC_monitor/tree/main/article/uploads/demo_1778818564/Chrome沙箱中也能利用，Windows 内核特权提升漏洞（CVE-2026-40369）

View Code ZIP pw:eip

nomisec WRITEUP

by piffd0s · poc

https://github.com/piffd0s/ntoskrnl-metadata

View Code ZIP pw:eip

This repository provides an IDA Python script to extract critical kernel metadata (function RVAs and _EPROCESS structure offsets) from Windows ntoskrnl.exe binaries, aiding in the development of exploits for CVE-2026-40369. It includes detailed technical documentation and usage instructions.

Classification

Writeup 95%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: Windows ntoskrnl.exe

No auth needed

Prerequisites: IDA Pro with Python support · Windows PDB symbols loaded for ntoskrnl.exe

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed May 23, 2026 Full analysis →

github WRITEUP

by ercihan · poc

https://github.com/ercihan/CVE-2026-40369

View Code ZIP pw:eip

This repository provides a defensive technical analysis of CVE-2026-40369, a Windows Kernel Elevation of Privilege vulnerability. It includes a detailed PDF report focusing on root cause analysis, exploitability constraints, and defensive implications rather than weaponization.

Classification

Writeup 100%

Attack Type

Lpe

Complexity

Complex

Reliability

Theoretical

Target: Windows Kernel

No auth needed

Prerequisites: Access to Windows Kernel · Understanding of kernel exploitation techniques

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed May 22, 2026 Full analysis →

github WORKING POC

by XZ1r0 · pythonpoc

https://github.com/XZ1r0/cve-2026-poc-collection/tree/main/linux/CVE-2026-40369-EXPLOIT

View Code ZIP pw:eip

The repository contains functional exploit code for CVE-2026-40369, demonstrating arbitrary kernel memory writes via a ProbeForWrite bypass in NtQuerySystemInformation. It includes multiple PoC variants, including a basic exploit and a full exploit with kernel memory read/write capabilities.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows (kernel)

No auth needed

Prerequisites: Windows system with vulnerable kernel · ability to execute arbitrary code in user mode

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed May 21, 2026 Full analysis →

nomisec WORKING POC

by orinimron123 · poc

https://github.com/orinimron123/CVE-2026-40369-EXPLOIT

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-40369, demonstrating an arbitrary kernel address increment vulnerability in Windows 11 24H2-25H2 via NtQuerySystemInformation (Class 253). The PoC includes both basic and full exploit code, with detailed root cause analysis and crash logs.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Windows 11 24H2-25H2 (ntoskrnl.exe)

No auth needed

Prerequisites: Unprivileged process access · Ability to call NtQuerySystemInformation

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed May 14, 2026 Full analysis →

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory patch

Windows Kernel Elevation of Privilege Vulnerability

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40369

Scores

CVSS v3 7.8

EPSS 0.0001

EPSS Percentile 3.0%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-822

Status published

Products (9)

Microsoft/Windows 11 Version 24H2 10.0.26100.0 - 10.0.26100.8457

Microsoft/Windows 11 Version 25H2 10.0.26200.0 - 10.0.26200.8457

Microsoft/Windows 11 version 26H1 10.0.28000.0 - 10.0.28000.2113

Microsoft/Windows Server 2025 10.0.26100.0 - 10.0.26100.32860

Microsoft/Windows Server 2025 (Server Core installation) 10.0.26100.0 - 10.0.26100.32860

microsoft/windows_11_24h2 < 10.0.26100.8390 (2 CPE variants)

microsoft/windows_11_25h2 < 10.0.26200.8390 (2 CPE variants)

microsoft/windows_11_26h1 < 10.0.28000.2113 (2 CPE variants)

microsoft/windows_server_2025 < 10.0.26100.32772

Published May 12, 2026

Tracked Since May 12, 2026