CVE-2026-45641 – Windows Hyper-V Remote Code Execution Vulnerability

CVE-2026-45641 is a Windows Hyper-V Remote Code Execution vulnerability associated with CWE-843: Type Confusion. The executive summary also describes the issue as an out-of-bounds read, so the weakness details are inconsistent in the source data. The vulnerability may allow an authenticated attacker inside a guest VM to send specially crafted file operation requests to VM hardware resources, potentially resulting in code execution on the host server.

CVSS Score: 8.4
SEVERITY: Critical
THREAT:
This vulnerability creates a virtualization escape risk in Windows Hyper-V. An attacker with access to a guest VM could attempt to cross the isolation boundary and execute code on the Hyper-V host. Successful exploitation could expose other virtual machines and critical host infrastructure.

EXPLOITS:
The exploitability assessment is Exploitation Less Likely. The vulnerability is not publicly disclosed and not known to be exploited in the wild. Exploit Code Maturity is listed as Unproven, and no public proof-of-concept code is identified in the provided data.

TECHNICAL SUMMARY:
The vulnerability is listed as CWE-843: Type Confusion, where software accesses a resource using an incompatible type. The executive summary also references an out-of-bounds read, which conflicts with the listed weakness. Microsoft states exploitation requires an authenticated attacker on a guest VM to send specially crafted file operation requests to VM hardware resources. If successful, this could result in remote code execution on the host server.

EXPLOITABILITY:
Affected Microsoft Product: Windows Hyper-V
Affected software includes Windows 10 Version 21H2 and 22H2, Windows 11 Version 23H2, 24H2, 25H2, and 26H1, Windows Server 2022, Windows Server 2025, and Server Core installations for affected server versions.

BUSINESS IMPACT:
Hyper-V hosts often run important business workloads. Successful exploitation could compromise the host, expose other virtual machines, disrupt services, and weaken trust in the virtualized environment. The impact can be especially severe in environments where multiple critical systems share the same host.

WORKAROUND:
No workarounds are listed.
No mitigations are listed.

URGENCY:
This vulnerability is rated Critical with a CVSS v3.1 Base Score of 8.4. Because it may allow code execution from a guest VM on the host server, organizations using Hyper-V should prioritize patching hosts that support critical workloads.