Skip to main content

Windows Hyper-V CVE-2026-45607

| EUVDEUVD-2026-35686 HIGH
Out-of-bounds Read (CWE-125)
2026-06-09 secure@microsoft.com GHSA-9pfr-2fjj-39px
7.8
CVSS 3.1 · NVD
Temporal: 7.3
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CIRCL (temporal)
7.3 HIGH
cvss
vuln.today AI
7.8 HIGH

Local Hyper-V interface reachable by any authenticated low-priv user (AV:L, PR:L, AC:L), no UI, and hypervisor code execution yields full C/I/A impact on the host.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Updated
Jun 11, 2026 - 18:58 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 11, 2026 - 18:58 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 11, 2026 - 18:52 vuln.today
cvss_changed
CVSS changed
Jun 11, 2026 - 18:52 NVD
8.4 (HIGH) 7.8 (HIGH)
Patch available
Jun 09, 2026 - 19:03 EUVD
Analysis Generated
Jun 09, 2026 - 18:09 vuln.today
CVE Published
Jun 09, 2026 - 17:17 nvd
HIGH 8.4

DescriptionNVD

Out-of-bounds read in Windows Hyper-V allows an unauthorized attacker to execute code locally.

AnalysisAI

Local code execution in Microsoft Windows Hyper-V allows an authenticated low-privilege attacker to run arbitrary code on the host via an out-of-bounds read (CWE-125) in the hypervisor. The flaw affects a broad swath of Windows 10, Windows 11, and Windows Server builds running Hyper-V, and Microsoft has released patches. No public exploit identified at time of analysis and EPSS is very low (0.06%), but SSVC technical impact is rated total.

Technical ContextAI

Hyper-V is Microsoft's Type-1 hypervisor that underpins virtualization on client Windows (Windows 10/11) and Windows Server, providing the virtualization stack used by Windows Sandbox, WSL2, virtualization-based security (VBS), and traditional guest VMs. The root cause is CWE-125 (out-of-bounds read): the hypervisor or a Hyper-V component reads memory past the bounds of an allocated buffer, which in this case is leveraged to gain code execution rather than just disclose memory - likely because the OOB read corrupts subsequent control-flow data or feeds attacker-controlled values into a code path that the attacker can pivot from. CPE data confirms the issue affects the kernel-mode OS components (cpe:2.3:o:microsoft:...) across x64 and arm64 builds of Windows 10 1607/1809/21H2/22H2 and Windows 11 23H2/24H2/25H2, indicating the vulnerable code lives in the shipped Hyper-V binaries common to those releases.

RemediationAI

Apply the vendor-released cumulative updates from Microsoft that raise affected builds to the fixed versions listed in the EUVD data (for example 10.0.19045.7417 for Windows 10 22H2, 10.0.22631.7219 for Windows 11 23H2, 10.0.26100.8655 for Windows 11 24H2 / Server 2025, and 10.0.17763.8880 for Server 2019 and Windows 10 1809); see https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45607 for the per-KB mapping. On systems that cannot be patched immediately, restrict local logon to trusted administrators and remove the 'Hyper-V Administrators' membership from non-essential accounts (trade-off: blocks legitimate VM management), and on hosts that do not need virtualization disable the Hyper-V role/feature via Server Manager or Disable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-All (trade-off: also disables VBS/HVCI, Windows Sandbox, WSL2, and Credential Guard, which materially weakens other defenses). Prioritize Hyper-V hosts running multi-tenant or untrusted guest workloads first; pure client devices without Hyper-V enabled remain exposed in code but not exploitable until the feature is turned on.

Share

CVE-2026-45607 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy