ercihan/CVE-2026-40369

# CVE-2026-40369: Defensive Analysis of the 12-Byte Windows Kernel Increment Primitive [](https://creativecommons.org/licenses/by-nc-sa/4.0/) [](./CVE_2026_40369.pdf) A defensive technical analysis of **CVE-2026-40369**, a Windows Kernel Elevation of Privilege vulnerability that provides a constrained 12-byte additive write primitive via `NtQuerySystemInformation` (class `0xFD` / 253). This report focuses on exploitability constraints, root cause analysis, and defensive implications rather than weaponization. ## Overview CVE-2026-40369 allows an attacker to perform additive writes to three adjacent `DWORD`s in kernel memory when calling `NtQuerySystemInformation` with information class `253` and a zero-length buffer. While limited, the primitive can be leveraged for KASLR bypass and privilege escalation when carefully targeted. This analysis covers: - Root cause reconstruction of the probe bypass and non-returning length check - Detailed breakdown of the 12-byte additive write primitive and its constraints - Mathematical analysis of the `Feature_RestrictKernelAddressLeaks` KASLR defeat technique - Review of publicly documented exploitation paths (WIL feature state + alternative read primitive approaches) - Catalog of build-specific offsets from public proof-of-concept code - Defensive detection and hardening recommendations ## Key Highlights - **Precise arithmetic analysis** of the WIL feature state byte manipulation (`0x57` → `0x10`) - Clear distinction between the **mask condition** and **exact byte** goals when disabling the kernel pointer leak mitigation - Responsible cataloguing of offsets from the public exploit repository - Strong focus on **exploit constraints** rather than exploitation steps - Defensive recommendations for detection and mitigation