Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionNVD
Exposure of sensitive information to an unauthorized actor in Windows Hyper-V allows an authorized attacker to disclose information locally.
AnalysisAI
Local information disclosure in Windows Hyper-V enables an authenticated low-privileged attacker to access sensitive data they are not authorized to read, without any user interaction. Affected systems span a broad range of Windows desktop and server editions from Server 2012 through Windows 11 26H1 and Server 2025. No public exploit identified at time of analysis and no CISA KEV listing; however, the high confidentiality impact (C:H) and breadth of affected versions make this a meaningful patching priority, particularly in multi-tenant virtualization environments.
Technical ContextAI
Windows Hyper-V is Microsoft's native Type-1 hypervisor, present across both client and server Windows SKUs. CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) identifies the root cause as improper access control or inadequate isolation in how Hyper-V surfaces information to lower-privileged callers - potentially exposing hypervisor-managed memory regions, guest VM state, or host kernel data structures to a low-privileged local process. The attack vector (AV:L) and scope (S:U) confirm this is a local, non-hypervisor-escape issue confined to the affected system's privilege boundary. Affected CPE contexts span Windows NT kernel builds from 6.2.x (Server 2012) through 10.0.28000.x (Windows 11 26H1), confirming the flaw exists across multiple generations of the Hyper-V implementation.
RemediationAI
Apply the vendor-released security update addressing CVE-2026-42972 via Windows Update, WSUS, or Microsoft Update Catalog as documented in the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42972. Target build versions per platform are: Server 2012 ≥6.2.9200.26132, Server 2012 R2 ≥6.3.9600.23228, Server 2016/Windows 10 1607 ≥10.0.14393.9234, Server 2019/Windows 10 1809 ≥10.0.17763.8880, Server 2022 ≥10.0.20348.5256, Server 2025/Windows 11 24H2 ≥10.0.26100.32995 (Server 2025) or 10.0.26100.8655 (Win11 24H2), Windows 11 23H2 ≥10.0.22631.7219, Windows 11 25H2 ≥10.0.26200.8655, Windows 11 26H1 ≥10.0.28000.2269. If patching is not immediately possible, consider restricting local interactive logon rights on Hyper-V hosts to the minimum necessary administrative accounts, which reduces the pool of users who could trigger the disclosure. Disabling Hyper-V entirely is an option only if the role is not operationally required, as it will break all hosted VMs. Note that the patch scope is exact fixed builds per SKU; partial updates may leave sub-components vulnerable.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35729
GHSA-6g3f-j7jw-9v65