MEDIUM 5.5

CVE-2026-42972: Windows Hyper-V Information Disclosure Vulnerability

A flaw in Windows Hyper-V can leak sensitive information to users who already have local access to a system. An attacker with a standard user account on the machine could exploit this to read data they shouldn't be able to access. While the vulnerability requires existing local privileges, the information exposure is significant enough to warrant attention, particularly in multi-tenant or shared system environments.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-200
Affected products
18 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Exposure of sensitive information to an unauthorized actor in Windows Hyper-V allows an authorized attacker to disclose information locally.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-42972 is an information disclosure vulnerability in the Windows Hyper-V hypervisor (CWE-200). The flaw allows a locally authenticated attacker to access sensitive data on the Hyper-V host without additional user interaction. The CVSS 3.1 score of 5.5 reflects a local attack vector, low complexity, and requirement for basic user privileges, with high impact on confidentiality but no integrity or availability impact. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.

Business impact

For organizations running Hyper-V—whether on Windows 10/11 workstations or Windows Server infrastructure—this vulnerability poses a data confidentiality risk. In environments where multiple users share access to a physical host or where guest isolation is critical (cloud hosters, managed service providers, research institutions), unauthorized information disclosure could expose workload data, credentials, or configuration details. The impact is contained to local attack scenarios, reducing risk for geographically distributed or air-gapped deployments, but organizations with converged or densely virtualized environments should prioritize assessment.

Affected systems

Microsoft has confirmed the vulnerability affects a broad range of Windows editions: Windows 10 versions 1607, 1809, 21H2, and 22H2; Windows 11 versions 23H2, 24H2, 25H2, and 26H1; and Windows Server editions 2012, 2016, 2019, 2022, and 2025. Any system running Hyper-V on these platforms is potentially vulnerable. Organizations should inventory Hyper-V deployments across both client and server infrastructure to establish exposure scope.

Exploitability

Exploitation requires an attacker to already possess local system access with standard user privileges. There is no remote attack path, and the vulnerability does not allow privilege escalation on its own—it is a lateral information disclosure issue. The lack of KEV listing and absence of public exploit code in the wild suggest the flaw is not yet actively weaponized, but the straightforward local access requirement means exploitation difficulty is low once an attacker is on the system. Organizations should consider the risk profile of their local user base and guest isolation policies.

Remediation

Microsoft will issue patches through its standard security update process. Organizations should monitor Microsoft Security Update Guide and subscribe to relevant advisories for specific patch versions. Temporary mitigations may include restricting local user account creation, enforcing strict physical access controls, disabling Hyper-V on non-essential systems, and strengthening guest-to-host isolation policies. However, these are partial controls; a firmware or operating system patch is the definitive remediation.

Patch guidance

Patches will be delivered via Windows Update and Microsoft's monthly security releases. For Windows 10 users, ensure automatic updates are enabled or manually check Windows Update. Server administrators should test patches in non-production environments before rollout, particularly in virtualization-heavy infrastructure where downtime must be coordinated. Verify patch application by checking the installed update history and confirming the vulnerability is listed as resolved in the advisory. Organizations on extended support tracks (Windows Server 2012, 2016) should confirm patch availability and timelines before assuming automatic deployment.

Detection guidance

Monitor system logs for suspicious local process activity that might indicate attempts to access Hyper-V memory or configuration data. EDR and behavioral analytics should flag unusual file or registry access patterns from low-privileged processes targeting Hyper-V-related paths. Network segmentation rules should limit lateral movement between Hyper-V guests and the host. Vulnerability scanners that assess Hyper-V security posture can help identify unpatched systems. Proactive scanning of your asset inventory against the affected product versions listed will provide the most direct visibility.

Why prioritize this

A CVSS 5.5 MEDIUM severity score with high confidentiality impact warrants prompt but not emergency action. The local-only attack vector reduces urgency compared to remote vulnerabilities, but data sensitivity depends on workload type and isolation practices. Hyper-V environments hosting sensitive workloads, multi-tenant deployments, or high-risk guest combinations should patch sooner. General-purpose or isolated environments can follow standard update cadences. The breadth of affected versions (spanning Windows 10, 11, and Server 2012–2025) suggests this is a platform-wide issue requiring systematic remediation rather than targeted triage.

Risk score, explained

The CVSS 3.1 base score of 5.5 reflects a Medium severity vulnerability. The Local (L) attack vector and Low (L) attack complexity indicate modest exploitation barriers for someone already on the system. The requirement for basic user privileges (Low) means attackers do not need administrator rights. High Confidentiality (C:H) impact acknowledges significant information exposure, while No Impact on Integrity (I:N) and Availability (A:N) shows the vulnerability is read-only. Unchanged Scope (S:U) means the attack does not cross privilege boundaries or affect other systems directly.

Frequently asked questions

Do we need to patch immediately, or can we defer to a standard maintenance window?

Given the MEDIUM severity and local-only attack requirement, deferral to your standard patching cycle is reasonable unless you host high-sensitivity workloads on Hyper-V or operate a multi-tenant environment where guest isolation is critical. In those cases, prioritize patches within 30 days. Confirm patch availability from Microsoft first, as some legacy versions (e.g., Server 2012) may have longer timelines.

Does this vulnerability affect Hyper-V isolated containers or just virtual machines?

The advisory applies to the Hyper-V hypervisor itself. Windows Defender Application Guard and other isolation technologies that leverage Hyper-V may be affected depending on their configuration. Review Microsoft's detailed advisory to confirm isolation scope for your specific deployment model. Testing in a non-production environment is prudent before broad rollout.

What if we can't patch immediately? Are there effective compensating controls?

Strong compensating controls include physical access restrictions, disabling Hyper-V on non-essential systems, enforcing strict firewall rules between guests and host, and limiting local user account creation. However, none of these eliminate the vulnerability entirely. They reduce risk but do not substitute for patching; treat them as interim measures only.

Is this vulnerability related to any known attack campaigns or malware?

No, the vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog and has no public evidence of active exploitation in the wild. However, this does not mean it will remain unexloited indefinitely; treat it as a proactive remediation opportunity rather than a crisis response.

This analysis is based on vulnerability data current as of the publication date and is provided for informational purposes. It does not constitute professional security advice. Patch version numbers, timelines, and specific remediation steps must be verified against the official Microsoft Security Update Guide and vendor advisories. Organizations should conduct independent risk assessments based on their infrastructure, workload sensitivity, and compliance requirements. SEC.co makes no warranty regarding the accuracy, completeness, or applicability of this information for your environment. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).