CVE-2026-47652 – Windows Hyper-V Remote Code Execution Vulnerability

A remote code execution vulnerability in Windows Hyper-V could allow an attacker to execute code locally from within a virtualized environment. The issue involves a heap-based buffer overflow triggered through a specially crafted hypercall with a maliciously large or malformed payload size. Successful exploitation could affect resources outside the vulnerable component’s normal security scope, making this especially serious for systems that rely on Hyper-V isolation.

CVSS Score: 8.2
SEVERITY: Critical
THREAT:
This vulnerability threatens Hyper-V host security and virtualized workload isolation. An attacker with high privileges inside a virtualized environment could issue crafted hypercalls to trigger memory corruption in the hypervisor, potentially leading to code execution beyond the guest environment.

EXPLOITS:
Microsoft reports publicly disclosed: No and exploited: No. Exploit Code Maturity is listed as Unproven, meaning confirmed working exploit code is not identified in the provided data. Microsoft rates exploitation as less likely.

TECHNICAL SUMMARY:
The vulnerability is classified as CWE-122: Heap-based Buffer Overflow. An attacker could run code within a virtualized environment and send a specially crafted hypercall containing a malformed or oversized payload. This can trigger a buffer overflow during hypervisor memory operations.
The CVSS scope is marked as Changed, meaning successful exploitation can affect resources beyond the vulnerable component’s normal security boundary. This matters because Hyper-V is designed to isolate virtual machines from the host and from other workloads.

EXPLOITABILITY:
Affected software includes Windows 11 Version 23H2, 24H2, 25H2, and 26H1, plus Windows Server 2022 and Windows Server 2025. Exploitation requires local access within a virtualized environment and high privileges, but no user interaction.

BUSINESS IMPACT:
For organizations using Hyper-V, this vulnerability can weaken trust in workload separation. A successful attack could lead to unauthorized code execution, compromise of sensitive workloads, disruption of hosted services, and possible impact beyond a single virtual machine. This is especially important for data centers, development environments, hosted infrastructure, and systems running sensitive virtualized workloads.

WORKAROUND:
Microsoft lists no mitigations and no workarounds. Applying the official security update is the recommended action.

URGENCY:
This patch should be deployed urgently because the vulnerability is rated Critical, affects Hyper-V, and involves remote code execution with a scope change. Even though exploitation is currently assessed as less likely and no active exploitation is reported, vulnerabilities that cross virtualization boundaries can create high-impact compromise scenarios.