MEDIUM 5.5

CVE-2026-42915: Windows VMSwitch Buffer Calculation DoS Vulnerability

Windows VMSwitch, the virtual networking component in Windows, contains a flaw in how it calculates memory buffer sizes. An attacker with local access to an affected system can exploit this miscalculation to crash the VMSwitch service, causing a denial of service. The attacker needs valid credentials to trigger the issue, so this is not a remote or unauthenticated attack vector. The vulnerability affects Windows 10, Windows 11, and Windows Server 2022/2025.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-131
Affected products
16 configuration(s)
Published / Modified
2026-06-09 / 2026-06-19

NVD description (verbatim)

Incorrect calculation of buffer size in Windows VMSwitch allows an authorized attacker to deny service locally.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-42915 is a buffer size calculation error (CWE-131) in the Windows VMSwitch driver. The improper sizing calculation can be triggered by an authenticated local attacker to cause uncontrolled memory access, resulting in a denial-of-service condition. The vulnerability requires local access and user-level privileges to exploit; it does not provide code execution or data exfiltration capabilities. The flaw is isolated to the VMSwitch component and does not affect the broader Hyper-V hypervisor or other core Windows subsystems beyond availability of virtual networking functionality.

Business impact

Availability disruption is the primary business concern. An employee or contractor with local system access could temporarily disable virtual networking, affecting workloads that depend on Hyper-V connectivity or virtual machine networking. For organizations running production Hyper-V environments on affected Windows Server versions, this represents a localized but repeatable disruption vector. The attack requires legitimate credentials and local access, limiting the threat to insider or post-compromise scenarios. Recovery typically requires service restart with minimal downtime, but repeated exploitation could impact operational continuity.

Affected systems

Microsoft Windows 10 (versions 21H2 and 22H2), Windows 11 (versions 23H2, 24H2, 25H2, and 26H1), Windows Server 2022, and Windows Server 2025 are affected. The vulnerability is tied to VMSwitch specifically, so systems without Hyper-V or virtual networking functionality enabled are not exposed. Server environments running virtual machines and client systems with Hyper-V enabled represent the primary risk population.

Exploitability

Exploitability is limited by the authentication and local access requirement. An attacker must have valid user credentials and the ability to log into or execute code on the target system. There is no known public exploit at this time, and the vulnerability has not been added to the CISA KEV (Known Exploited Vulnerabilities) catalog. The barrier to exploitation is moderate: privilege escalation would not be required, but the attacker must already have a foothold with user-level access. In managed enterprise environments with credential controls and application whitelisting, practical exploitation becomes more difficult.

Remediation

Microsoft has released security updates to address this vulnerability. Organizations should apply the latest Windows cumulative security updates or platform-specific patches as soon as practical. For Windows 10, update to version 22H2 or later. Windows 11 users should ensure they are running the latest available version (26H1 or later). Windows Server 2022 and 2025 administrators should deploy the corresponding security patches released by Microsoft. Verify patch application via Windows Update history or WSUS to confirm the VMSwitch component has been updated.

Patch guidance

Check Microsoft's official security bulletins and Windows Update for the specific KB article numbers corresponding to the June 2026 security release. Windows 10 and 11 users can enable automatic Windows Update or manually trigger updates via Settings > Update & Security > Check for updates. Windows Server administrators should use Windows Server Update Services (WSUS), SCCM, or manual Windows Update depending on your patch management infrastructure. Test patches in a non-production Hyper-V environment first to confirm virtual networking functionality is preserved. Monitor VMSwitch service status and virtual machine connectivity after patching to ensure successful remediation.

Detection guidance

Monitor Windows Event Viewer for repeated VMSwitch service crashes or unexpected restarts of the vmswitchservice process. Look for kernel memory events (Event ID 41 or 51) that correlate with VMSwitch restarts. Enable audit logging for local logon events (Event ID 4624) to identify which accounts accessed the system around the time of the denial of service. In Hyper-V environments, check virtual machine network connectivity logs for sudden drops in traffic or repeated connection failures. Endpoint detection tools should flag unusual local process execution targeting the VMSwitch driver or repeated service control commands issued by standard user accounts.

Why prioritize this

Although the CVSS score is moderate (5.5), the practical risk is lower due to authentication and local access requirements. Prioritize patching based on your environment: Windows Server hosts running production Hyper-V workloads should be treated as priority targets, as a DoS event could impact business continuity. Client systems and non-virtualized servers are lower priority. Since no active exploitation has been reported in the KEV catalog, this does not demand emergency response timelines, but it should be included in regular patch cycles and tested in virtual environments before broad deployment.

Risk score, explained

The CVSS 3.1 score of 5.5 (Medium) reflects high impact to availability balanced against the requirement for local authentication and user-level access. The vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H indicates local attack surface, low attack complexity once access is obtained, and no confidentiality or integrity impact. The score appropriately penalizes the denial-of-service capability while recognizing that exploitation is constrained to authenticated users. Organizations with strong access controls and insider threat programs may view their practical risk as below the baseline CVSS, while those with permissive local access policies should weight the score accordingly.

Frequently asked questions

Does this vulnerability allow remote code execution or lateral movement?

No. CVE-2026-42915 is strictly a denial-of-service vulnerability affecting VMSwitch availability. It does not provide code execution, privilege escalation, or the ability to move laterally across a network. An attacker is limited to crashing the virtual networking service on the local system where they have already authenticated.

What happens if VMSwitch is disabled or if a system does not use Hyper-V?

Systems that do not have Hyper-V enabled or virtual networking configured are not exposed to this vulnerability. VMSwitch is only active when virtual machines or virtual networking is in use. Disabling Hyper-V or removing the VMSwitch component eliminates the attack surface, though this is rarely practical in enterprise Hyper-V environments.

How quickly should we patch this in a production Hyper-V environment?

Given the medium CVSS score, lack of active exploitation, and the requirement for local authenticated access, a standard patch cycle (within 30 days) is reasonable for most organizations. However, if your Hyper-V hosts support mission-critical workloads, test patches in a lab environment immediately and schedule production updates within 2-3 weeks to minimize the window of exposure.

Can this vulnerability be exploited remotely over the network?

No. The attack vector is strictly local (AV:L in the CVSS vector). The attacker must have user-level access to the system itself—either through a legitimate account or via code execution from another vulnerability. Network-based attacks cannot trigger this flaw.

This analysis is provided for informational purposes and does not constitute professional security advice or a risk assessment for your specific environment. CVSS scores, patch availability, and vendor statements are current as of the publication date but may change; verify all technical details against Microsoft's official security advisories and bulletins. Exploit timelines, attack prevalence, and real-world risk vary by industry, geography, and organizational security posture. Conduct your own threat modeling and prioritization aligned with your business objectives and regulatory obligations. SEC.co makes no guarantee regarding the accuracy, completeness, or applicability of this intelligence to your systems. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).