The 12-byte arbitrary kernel write in nt!ExpGetProcessInformation via NtQuerySystemInformation(class=0xFD) bypasses ProbeForWrite when Length equals zero, granting renderer sandboxes in Chrome, Edge, and Firefox an unprivileged path to SYSTEM. VoidSec's disclosure correctly traces the call graph through ExpQuerySystemInformation but understates how this primitive interacts with WIL feature flags like Feature_RestrictKernelAddressLeaks, which normally gate pointer leaks yet fail against zero-length probes. Cross-referencing Microsoft’s 2025 kernel hardening papers and Ori Nimron’s independent GitHub PoC shows the same root cause was reachable months earlier through SystemProcessInformation walks. This incident mirrors the 2023 DirtyPipe-style kernel write patterns and the 2024 Windows privilege-escalation clusters, confirming that client-side sandboxing remains a brittle perimeter rather than a resilient boundary. Raw technical drops like VoidSec’s accelerate defender response yet expose the lag in Microsoft’s proactive mitigations for NtCreateToken token forgery chains.