Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local guest/host access (AV:L) with low privileges (PR:L); type-confusion exploitation typically requires precise timing/memory layout (AC:H); hypervisor escape changes security scope (S:C) with total host impact.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
7DescriptionNVD
Out-of-bounds read in Windows Hyper-V allows an unauthorized attacker to execute code locally.
AnalysisAI
Local code execution in Microsoft Windows Hyper-V allows an authenticated attacker on a guest or host to escape sandbox boundaries by triggering an out-of-bounds read condition (CWE-843, type confusion) in the hypervisor. The flaw affects Windows 10 (21H2/22H2), Windows 11 (23H2/24H2/25H2/26H1), and Windows Server 2022/2025, with a vendor-released patch available and no public exploit identified at time of analysis. EPSS scoring of 0.15% and SSVC exploitation status of 'none' suggest limited near-term exploitation likelihood despite total technical impact potential.
Technical ContextAI
Hyper-V is Microsoft's Type-1 hypervisor that powers virtualization on Windows client and server SKUs, including Windows Sandbox, WSL2, Hyper-V VMs, and Credential Guard. CWE-843 (Access of Resource Using Incompatible Type, often called type confusion) here manifests as an out-of-bounds read, indicating the hypervisor interprets a memory region under one type while the underlying data is sized or structured differently, allowing the attacker to read past intended boundaries. Because Hyper-V code runs in the root partition or hypervisor context with the highest privilege on the system, memory disclosure or corruption primitives here can be leveraged to escape guest isolation or escalate within the host. The CPE list shows the flaw spans the kernel-mode hypervisor stack on x64 builds of Windows 10, Windows 11 (including 26H1 insider builds), Windows Server 2022, and Windows Server 2025, consistent with a shared hvix64/hvax64 codebase.
RemediationAI
Vendor-released patch: install the Microsoft cumulative update that brings the affected OS to or above the fixed build for your channel (e.g., 19044.7417/19045.7417 for Windows 10, 22631.7219 for Windows 11 23H2, 26100.8655 for 24H2, 26200.8655 for 25H2, 20348.5256 for Server 2022, 26100.32995 for Server 2025) as detailed in the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45641. Until patching is complete, compensating controls include disabling the Hyper-V role on hosts that do not require virtualization (this also disables Windows Sandbox, WSL2, and Credential Guard, which is a meaningful side effect), restricting which users can create or attach VMs via the Hyper-V Administrators group to trusted accounts only, and avoiding running untrusted guests on shared hosts. On multi-tenant or sandbox-execution hosts, isolate untrusted workloads onto separate, fully patched physical hardware to limit blast radius until updates are deployed.
More in Windows 10 21h2
View allWindows Internet Shortcut Files (.url) contain an external control vulnerability (CVE-2025-33053, CVSS 8.8) that enables
Windows SMB contains an improper access control vulnerability (CVE-2025-33073, CVSS 8.8) enabling authenticated attacker
Active Directory Domain Services contains an elevation of privilege vulnerability that allows authenticated domain users
Microsoft Scripting Engine contains a type confusion vulnerability allowing unauthorized remote code execution over the
Windows CLFS Driver contains an input validation flaw enabling local privilege escalation, yet another CLFS kernel vulne
Windows Ancillary Function Driver for WinSock contains a heap-based buffer overflow enabling local privilege escalation
Windows Shell contains a protection mechanism failure (CVE-2026-21510, CVSS 8.8) that allows unauthenticated remote atta
This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. Rated critical severity (CVSS 9.8), thi
In IGEL OS before 11, Secure Boot can be bypassed because the igel-flash-driver module improperly verifies a cryptograph
Desktop Window Manager (DWM) in Windows contains a type confusion vulnerability (CVE-2026-21519, CVSS 7.8) that enables
Windows Common Log File System Driver contains another use-after-free for local privilege escalation, the latest in a se
Windows Storage contains an elevation of privilege vulnerability through symlink following that allows authorized attack
Same technique Memory Corruption
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35687
GHSA-3hgm-7fqq-m4fp