A critical local privilege escalation vulnerability, CVE-2026-40369, has been disclosed in the Windows kernel affecting Windows 11 versions 24H2 and 25H2, with advisories noting Windows Server 2025 may also be impacted. The flaw resides in ntoskrnl.exe within the ExpGetProcessInformation function, reachable via a single NtQuerySystemInformation syscall with information class 253; improper validation when the buffer length is zero allows an attacker to perform an arbitrary 12-byte kernel write (increment) primitive from any unprivileged context, including browser renderer sandboxes. Microsoft rated the vulnerability CVSS 7.8 (High) and addressed it in the May 2026 Patch Tuesday cumulative updates. Researcher Ori Nimron has published a full exploit package, and the exploit is confirmed publicly available, enabling reliable escalation to SYSTEM when chained with a kernel ASLR bypass. Azure workloads running Windows Server 2025 virtual machines or Windows 11-based environments are at risk until the May 2026 patches are applied. No configuration-based workaround is reported to fully remove the attack surface.
// Alert
Microsoft Azure threat report
// Get alerts for Microsoft Azure