Show HN: CVE-2026-40369 Windows Kernel Arbitrary Write Chrome SBX
A researcher aimed to exploit a Windows kernel bug to escape Chrome's renderer sandbox for the Pwn2Own Berlin 2026 competition. Despite developing a successful exploit, the researcher was rejected from the contest due to overwhelming interest and capacity limits. Consequently, the researcher has opted for full public disclosure of the findings.
- ▪The researcher targeted a Windows kernel bug to escape Chrome's renderer sandbox.
- ▪They discovered a trivially exploitable arbitrary kernel write primitive in a heavily audited syscall.
- ▪The researcher was rejected from the Pwn2Own Berlin competition due to maximum capacity limits.
Opening excerpt (first ~120 words) tap to expand
Preface — How I Got Here I wanted to compete in Pwn2Own Berlin 2026 in the Web Browser category. The target: escape Chrome's renderer sandbox via a Windows kernel bug — starting from a compromised renderer process, demonstrate code execution outside the sandbox. Chrome's sandbox makes the kernel attack surface surprisingly small. The renderer process runs at untrusted integrity with a heavily restricted token. Win32k is completely locked out (win32k lockdown), which eliminates the entire GDI/USER attack surface that has historically been the bread and butter of Windows kernel exploitation. What's left? A handful of NT syscalls that aren't blocked: file operations (heavily filtered by the broker), registry (mostly read-only), and a few system information queries.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at Pwn2nimron.
Discussion
0 commentsMore from Pwn2nimron
