CVE-2026-45607: Windows Hyper-V Out-of-Bounds Read Code Execution (CVSS 8.4)
CVE-2026-45607 is a high-severity vulnerability in Windows Hyper-V that allows an attacker with local access to read memory outside intended boundaries and execute arbitrary code. The flaw requires no special privileges or user interaction to trigger, making it a direct path to system compromise on affected machines. This is not yet listed on the CISA Known Exploited Vulnerabilities catalog, but the combination of local access and code execution capability makes it a meaningful risk for organizations running Hyper-V infrastructure.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.4 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-125
- Affected products
- 16 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Out-of-bounds read in Windows Hyper-V allows an unauthorized attacker to execute code locally.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
An out-of-bounds read condition exists in the Windows Hyper-V hypervisor (CWE-125). The vulnerability allows a local, unauthenticated attacker to read memory beyond allocated buffer boundaries, which can be leveraged to extract sensitive data or craft an exploit leading to code execution with elevated privileges. The attack surface is confined to the local system; remote exploitation is not possible. The CVSS 3.1 score of 8.4 reflects high impact across confidentiality, integrity, and availability, with low attack complexity and no privileges required.
Business impact
Compromise of a Hyper-V host can cascade into broad infrastructure damage. An attacker exploiting this flaw gains local code execution, potentially allowing lateral movement within virtual machine clusters, theft of guest VM memory or credentials, denial of service to virtualized workloads, and persistence across guest boundaries. In datacenter and cloud scenarios, this represents a critical containment failure. Organizations with multi-tenant or segmented Hyper-V deployments face elevated risk of cross-tenant data leakage.
Affected systems
The vulnerability affects multiple Windows 10 and Windows 11 builds (1607, 1809, 21H2, 22H2, 23H2, 24H2, 25H2, 26H1) and Windows Server versions (2016, 2019, 2022, 2025). Any system with Hyper-V enabled is in scope. This includes virtualized enterprise servers, cloud-hosting platforms, and development labs running nested hypervisors. The affected versions span both in-support and extended-support Windows releases.
Exploitability
Exploitation requires local system access; an attacker cannot trigger this remotely over the network. However, the lack of privilege requirement or user interaction lowers the bar significantly. Any locally-authenticated user, compromised service account, or malware with filesystem access can attempt exploitation. Guest-to-host escape is a plausible attack chain if an attacker first compromises a virtual machine. The CVSS vector (AV:L/AC:L/PR:N/UI:N) indicates attack complexity is low, suggesting a reliable exploit technique may be available. The vulnerability is not yet tracked in public exploit databases, but the straightforward nature of out-of-bounds reads suggests security researchers will likely develop proof-of-concept code.
Remediation
Apply the latest cumulative update or security patch from Microsoft for your Windows version. Verify against the official Microsoft Security Update Guide (portal.msrc.microsoft.com) for the specific KB article and build numbers. Organizations should prioritize patching Hyper-V hosts in production environments, particularly those hosting untrusted or multi-tenant workloads. Interim mitigations include restricting local access to systems, disabling Hyper-V where not required, and isolating sensitive guest VMs on patched hosts.
Patch guidance
Monitor the Microsoft Security Update Guide for CVE-2026-45607 patches. Patches will be rolled into monthly cumulative updates for each supported Windows version and Server release. Test patches in a non-production Hyper-V lab first to confirm VM stability and any compatibility implications with guest operating systems. Prioritize patching in this order: (1) production Hyper-V hosts handling untrusted workloads, (2) multi-tenant or cloud-hosting environments, (3) development and lab hypervisors. Plan for system restart as part of update deployment.
Detection guidance
Monitor for suspicious local process activity on Hyper-V hosts, particularly unexpected reads of kernel memory or calls to Hyper-V-related APIs (e.g., WMI virtualization classes, Hyper-V management service). Track failed and succeeded privilege escalation attempts. Check for abnormal child process spawning or unexpected code execution originating from low-privilege accounts. Log analysis of Windows Security Event ID 4688 (process creation) may reveal attempts to access Hyper-V management tools or memory-scanning utilities. Network detection is unlikely to be productive since the vulnerability is local; focus on host-based indicators and behavioral anomalies.
Why prioritize this
This vulnerability merits immediate attention due to its high CVSS score (8.4), absence of privilege requirements, and the strategic importance of Hyper-V infrastructure in enterprise and cloud environments. The local attack surface and code execution outcome create a direct risk to virtualized assets and data. Although not yet actively exploited in the wild (not on KEV), the technical simplicity and broad affected version range suggest rapid adoption of working exploits is probable. Hyper-V hosts should be treated as critical assets in patch prioritization.
Risk score, explained
The CVSS 3.1 score of 8.4 (HIGH) is driven by complete compromise of system confidentiality, integrity, and availability (C:H, I:H, A:H), combined with low barriers to attack (AV:L, AC:L, PR:N, UI:N). The severity is tempered only by the requirement for local access. In a typical enterprise, local access is abundant through service accounts, contractors, shared systems, and compromised workstations; the 'local' requirement therefore does not substantially reduce real-world risk. The absence of scope crossing (S:U) prevents an CVSS uplift, but in practice, guest-to-host escape elevates impact.
Frequently asked questions
Can this vulnerability be exploited remotely?
No. The vulnerability requires local system access. An attacker must already have the ability to run code or commands on the affected Hyper-V host. However, a prior breach of a guest VM or a compromised service account can serve as a stepping stone.
Do all Windows systems need to be patched, or only Hyper-V hosts?
Only systems with Hyper-V role enabled are vulnerable. Standard Windows 10 or Windows 11 workstations without Hyper-V installed are not affected. Check your systems with 'Get-WindowsFeature Hyper-V' (Server) or 'Get-WindowsOptionalFeature -FeatureName Hyper-V' (client Windows) to identify which machines require patching.
What is the difference between this CVE and other Hyper-V vulnerabilities?
CVE-2026-45607 is specifically an out-of-bounds read leading to code execution. Other Hyper-V CVEs may involve privilege escalation, denial of service, or information disclosure through different mechanisms. Check Microsoft's advisory for this CVE to understand the precise attack vector and remediation scope.
If I disable Hyper-V, am I protected?
Yes, disabling the Hyper-V role eliminates the attack surface for this CVE. However, if you rely on Hyper-V for production workloads, disabling is not practical. Patching is the recommended path; disabling is appropriate only for systems where virtualization is not needed.
This analysis is based on available CVE metadata and vendor advisories as of the publication date. Patch availability, affected build numbers, and exploitation status may evolve; consult the official Microsoft Security Update Guide (portal.msrc.microsoft.com) for authoritative remediation guidance. SEC.co does not provide exploit code or weaponized proof-of-concept material. This vulnerability intelligence is for defensive purposes only. Organizations should validate patch applicability in their environment before broad deployment. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10889HIGHCritical ANGLE Sandbox Escape in Google Chrome – Patch to 149.0.7827.53
- CVE-2026-10927HIGHChrome Sandbox Escape via Dawn Out-of-Bounds Read
- CVE-2026-10941HIGHSkia Out-of-Bounds Memory Vulnerability in Chrome – Urgent Patch Required
- CVE-2026-11015HIGHCritical Chrome WebGPU Out-of-Bounds Read Vulnerability
- CVE-2026-11077HIGHChrome Dawn Graphics Vulnerability – Sandbox Escape Risk
- CVE-2026-11091HIGHCritical Chrome Memory Corruption Vulnerability in Dawn Graphics Engine
- CVE-2026-11111HIGHChrome Out-of-Bounds Read in ANGLE Graphics Engine — Patch Guidance
- CVE-2026-11191HIGHOut-of-Bounds Memory Access in Chrome ANGLE Library