CVE-2026-45607 – Windows Hyper-V Remote Code Execution Vulnerability

CVE-2026-45607 is a Windows Hyper-V Remote Code Execution vulnerability caused by an out-of-bounds read (CWE-125). The flaw affects Windows Hyper-V and may allow an attacker operating within a guest virtual machine to execute code on the host system. According to Microsoft, exploitation involves sending specially crafted file operation requests from a guest VM to hardware resources associated with the virtual machine, potentially resulting in code execution on the host server.

CVSS Score: 8.4
SEVERITY: Critical
THREAT:
This vulnerability presents a virtualization escape risk. An attacker who gains access to a guest virtual machine could attempt to leverage the flaw to break isolation boundaries and execute code on the Hyper-V host. Successful exploitation could undermine one of the core security assumptions of virtualization environments and expose multiple hosted workloads to compromise.

EXPLOITS:
The exploitability assessment is Exploitation Less Likely. The vulnerability is not publicly disclosed and not known to be exploited in the wild. Exploit Code Maturity is listed as Unproven, and no public proof-of-concept (PoC) code is identified in the available information.

TECHNICAL SUMMARY:
The vulnerability is caused by an out-of-bounds read within Windows Hyper-V. Improper handling of memory during processing of specially crafted file operation requests can create conditions that allow arbitrary code execution. Microsoft states that an attacker would need to operate from within a guest virtual machine and send crafted requests targeting VM hardware resources. If successful, the attack could lead to code execution on the host server, potentially compromising the integrity of the virtualization platform and hosted workloads.

EXPLOITABILITY:
Affected Microsoft Product: Windows Hyper-V
Affected software includes:
Windows 10 Version 1607, 1809, 21H2, and 22H2
Windows 11 Version 23H2, 24H2, 25H2, and 26H1
Windows Server 2016, 2019, 2022, and 2025
Windows Server Core installations for affected server versions
The attack vector is Local, with Low attack complexity, No privileges required, and No user interaction according to the CVSS metrics. Microsoft states that exploitation requires an attacker operating from a guest VM environment to send specially crafted file operation requests to VM hardware resources.

BUSINESS IMPACT:
Hyper-V hosts often support multiple business-critical workloads. A successful VM escape attack could allow an attacker to move beyond a compromised guest system and gain access to the underlying host infrastructure. This could result in unauthorized access to other virtual machines, disruption of services, exposure of sensitive data, and widespread impact across the virtualized environment.

WORKAROUND:
No workarounds are listed.
No mitigations are listed.

URGENCY:
This vulnerability is rated Critical with a CVSS v3.1 Base Score of 8.4. The possibility of code execution from a guest virtual machine to the host system makes this a high-priority patch for organizations using Hyper-V. Systems hosting critical workloads or multi-tenant environments should be prioritized for remediation.