CVE-2026-40369 is an unprivileged arbitrary 12-byte kernel write in nt!ExpGetProcessInformation, reachable from Chrome/Edge/Firefox renderer sandboxes via NtQuerySystemInformation. A walk through the unchecked ProbeForWrite path and a five-phase LPE that forges a SYSTEM token with NtCreateToken. core-jmp.org/2026/06/cve-202… #BrowserExploitation #ChromeSandboxEscape #CVE #CVE202640369 #KASLR #KernelExploitation #KernelR/WPrimitive #LocalPrivilegeEscalation #NtCreateToken #ntoskrnlexe #NtQuerySystemInformation #Pwn2Own #SandboxEscape #Syscalls #SYSTEMPrivileges #Windows11 #Windows1125H2 #WindowsExploitDevelopment #WindowsInternals #WindowsKernel #WindowsKernelExploitation #WindowsKernelVulnerability #WindowsLPE #WindowsPrivilegeEscalation #Windowssecurity #WindowsServer2025

First part of chapter 11 has been published (security)! See how to call NtCreateToken :) Chapter 10 is not ready yet, I'll leave it for later. leanpub.com/windowsnativeapi…

AP->LSA (NtCreateToken) LSA->Kernel (LSA kernel driver) Kernel->LSA (RPC) Wheeeeeee