CVE-2026-57092 – Microsoft Windows VMSwitch Elevation of Privilege Vulnerability

CVSS 9.9 CRITICAL Critical or Zero Day – Immediate Deployment

“A compromised guest virtual machine should not become a doorway to the host, but this flaw can break that boundary.”

A use-after-free vulnerability in Microsoft Windows VMSwitch allows an authorized attacker with low privileges inside a guest virtual machine to potentially gain elevated privileges on the host system. An attacker can exploit the flaw by sending a specially crafted network-related request through the Hyper-V Virtual Switch. Under certain conditions, the host may access memory that is no longer valid, potentially causing a denial of service or allowing the attacker to escape the guest boundary and compromise the host.

CVSS Score: 9.9

SEVERITY: Critical

THREAT:
This vulnerability threatens the security boundary between Hyper-V guest virtual machines and the host system. An attacker who can run code inside a guest virtual machine could send malicious network-related requests through VMSwitch and potentially gain privileges beyond the guest environment. Successful exploitation could expose the host and other workloads running on the same virtualization platform.

EXPLOITS:
At the time of publication, Microsoft assessed exploitation as less likely. The vulnerability was not publicly disclosed and was not known to be actively exploited. No public exploit or proof-of-concept code is confirmed in the available information.

TECHNICAL SUMMARY:
The vulnerability is caused by CWE-416: Use After Free in Microsoft Windows VMSwitch. A use-after-free condition occurs when software continues to reference memory after that memory has already been released.
An attacker with low privileges in a guest virtual machine could run code and send a specially crafted network-related request to the host through the Hyper-V Virtual Switch. Under certain timing and memory conditions, VMSwitch may cause the host to access invalid memory. This could result in a denial of service or, in more serious cases, elevation of privilege on the host system.
The CVSS v3.1 metrics show a network attack vector, low attack complexity, low privileges required, no user interaction, and a changed scope. The changed scope reflects the possibility that exploitation inside a guest virtual machine could affect the separate security authority of the host.

EXPLOITABILITY:
Affected software includes Windows 10 versions 1607, 1809, 21H2, and 22H2; Windows 11 versions 24H2, 25H2, and 26H1; and Windows Server 2012, 2012 R2, 2016, 2019, 2022, and 2025, including applicable Server Core installations.
Exploitation requires the attacker to run code in a guest virtual machine and send a specially crafted network-related request through the Hyper-V Virtual Switch. No user interaction is required.

BUSINESS IMPACT:
Successful exploitation could allow an attacker to cross the isolation boundary between a guest virtual machine and its host. This could lead to host compromise, disruption of virtualized services, exposure of sensitive workloads, and possible access to other guest systems hosted on the same platform.
The vulnerability is especially serious for organizations using shared virtualization infrastructure, private clouds, hosting platforms, development environments, or multi-tenant systems. A single compromised guest could create risk for the underlying host and other business-critical workloads.

WORKAROUND:
No mitigations or workarounds are available. Apply the applicable Microsoft security update.

URGENCY:
This vulnerability is rated Critical with a CVSS v3.1 Base Score of 9.9. It could allow an attacker with access to a guest virtual machine to cross into the host system without user interaction. Although exploitation is currently assessed as less likely and no active exploitation is confirmed, the potential failure of the guest-to-host security boundary makes this patch a high priority for Hyper-V and virtualization hosts.

Key Details

Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
CWE Classification
CWE-416
Patch this CVE on all your endpoints in under 5 minutes. First 200 endpoints are free forever, scale as needed.