CVE-2026-40402 – Windows Hyper-V Elevation of Privilege Vulnerability

A critical elevation of privilege vulnerability exists in Windows Hyper-V due to a use-after-free flaw. An attacker could exploit this issue from a guest VM and cross the security boundary into the Hyper-V host environment. Successful exploitation could allow the attacker to gain SYSTEM privileges.
CVSS Score: 9.3
SEVERITY: Critical
THREAT:
This vulnerability could allow an attacker operating from a Hyper-V guest environment to elevate privileges on the host. Successful exploitation may lead to SYSTEM-level access, host compromise, data exposure, tampering, and potential impact to other virtualized workloads.

EXPLOITS:
At the time of publication, Microsoft reports that the vulnerability was not publicly disclosed and was not exploited. Exploit Code Maturity is listed as Unproven, and exploitation is assessed as Less Likely.

TECHNICAL SUMMARY:
CVE-2026-40402 is caused by a use-after-free condition in Windows Hyper-V. The issue allows a guest VM to force the Hyper-V host kernel to read from an arbitrary, potentially invalid address. In most cases, this may result in a denial of service through a host bugcheck. However, Microsoft notes that reads involving memory-mapped device registers tied to hardware attached to the host may trigger device-specific side effects that could compromise host security. The CVSS scope is Changed because exploitation can cross from the guest VM security boundary into the Hyper-V host environment.

EXPLOITABILITY:
Affected software is Windows Hyper-V. Exploitation is local from the guest VM context, requires no privileges, and requires no user interaction. A successful attacker could gain SYSTEM privileges on the Hyper-V host.

BUSINESS IMPACT:
A Hyper-V host compromise can expose multiple virtual machines and sensitive workloads at once. This may lead to tenant boundary violations, business service disruption, data theft, and loss of trust in virtualized infrastructure.

WORKAROUND:
No mitigations or workarounds are listed. Apply the official Microsoft security update as soon as possible.

URGENCY:
This vulnerability should be prioritized because it is Critical, has a CVSS score of 9.3, requires no privileges or user interaction, and can cross the guest-to-host security boundary. Hyper-V hosts supporting critical workloads should be patched quickly.