Share
## https://sploitus.com/exploit?id=5A84AC4B-6548-582E-8AC4-9B7BD2EA2BF9
# CVE-2026-40369: Defensive Analysis of the 12-Byte Windows Kernel Increment Primitive

[![License: CC BY-NC-SA 4.0](https://img.shields.io/badge/License-CC%20BY--NC--SA%204.0-lightgrey.svg)](https://creativecommons.org/licenses/by-nc-sa/4.0/)
[![Report](https://img.shields.io/badge/Report-PDF-blue)](./CVE_2026_40369.pdf)

A defensive technical analysis of **CVE-2026-40369**, a Windows Kernel Elevation of Privilege vulnerability that provides a constrained 12-byte additive write primitive via `NtQuerySystemInformation` (class `0xFD` / 253).

This report focuses on exploitability constraints, root cause analysis, and defensive implications rather than weaponization.

## Overview

CVE-2026-40369 allows an attacker to perform additive writes to three adjacent `DWORD`s in kernel memory when calling `NtQuerySystemInformation` with information class `253` and a zero-length buffer. While limited, the primitive can be leveraged for KASLR bypass and privilege escalation when carefully targeted.

This analysis covers:
- Root cause reconstruction of the probe bypass and non-returning length check
- Detailed breakdown of the 12-byte additive write primitive and its constraints
- Mathematical analysis of the `Feature_RestrictKernelAddressLeaks` KASLR defeat technique
- Review of publicly documented exploitation paths (WIL feature state + alternative read primitive approaches)
- Catalog of build-specific offsets from public proof-of-concept code
- Defensive detection and hardening recommendations

## Key Highlights

- **Precise arithmetic analysis** of the WIL feature state byte manipulation (`0x57` โ†’ `0x10`)
- Clear distinction between the **mask condition** and **exact byte** goals when disabling the kernel pointer leak mitigation
- Responsible cataloguing of offsets from the public exploit repository
- Strong focus on **exploit constraints** rather than exploitation steps
- Defensive recommendations for detection and mitigation