Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local Hyper-V interface reachable by any authenticated low-priv user (AV:L, PR:L, AC:L), no UI, and hypervisor code execution yields full C/I/A impact on the host.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
7DescriptionNVD
Out-of-bounds read in Windows Hyper-V allows an unauthorized attacker to execute code locally.
AnalysisAI
Local code execution in Microsoft Windows Hyper-V allows an authenticated low-privilege attacker to run arbitrary code on the host via an out-of-bounds read (CWE-125) in the hypervisor. The flaw affects a broad swath of Windows 10, Windows 11, and Windows Server builds running Hyper-V, and Microsoft has released patches. No public exploit identified at time of analysis and EPSS is very low (0.06%), but SSVC technical impact is rated total.
Technical ContextAI
Hyper-V is Microsoft's Type-1 hypervisor that underpins virtualization on client Windows (Windows 10/11) and Windows Server, providing the virtualization stack used by Windows Sandbox, WSL2, virtualization-based security (VBS), and traditional guest VMs. The root cause is CWE-125 (out-of-bounds read): the hypervisor or a Hyper-V component reads memory past the bounds of an allocated buffer, which in this case is leveraged to gain code execution rather than just disclose memory - likely because the OOB read corrupts subsequent control-flow data or feeds attacker-controlled values into a code path that the attacker can pivot from. CPE data confirms the issue affects the kernel-mode OS components (cpe:2.3:o:microsoft:...) across x64 and arm64 builds of Windows 10 1607/1809/21H2/22H2 and Windows 11 23H2/24H2/25H2, indicating the vulnerable code lives in the shipped Hyper-V binaries common to those releases.
RemediationAI
Apply the vendor-released cumulative updates from Microsoft that raise affected builds to the fixed versions listed in the EUVD data (for example 10.0.19045.7417 for Windows 10 22H2, 10.0.22631.7219 for Windows 11 23H2, 10.0.26100.8655 for Windows 11 24H2 / Server 2025, and 10.0.17763.8880 for Server 2019 and Windows 10 1809); see https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45607 for the per-KB mapping. On systems that cannot be patched immediately, restrict local logon to trusted administrators and remove the 'Hyper-V Administrators' membership from non-essential accounts (trade-off: blocks legitimate VM management), and on hosts that do not need virtualization disable the Hyper-V role/feature via Server Manager or Disable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-All (trade-off: also disables VBS/HVCI, Windows Sandbox, WSL2, and Credential Guard, which materially weakens other defenses). Prioritize Hyper-V hosts running multi-tenant or untrusted guest workloads first; pure client devices without Hyper-V enabled remain exposed in code but not exploitable until the feature is turned on.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35686
GHSA-9pfr-2fjj-39px