Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2024-43575

CVE-2024-43575: Windows Server 2016 Hyper-V DoS Flaw

CVE-2024-43575 is a denial of service vulnerability in Windows Hyper-V on Server 2016 that enables attackers to disrupt system availability. This article covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2024-43575 Overview

CVE-2024-43575 is a denial of service vulnerability in Microsoft Windows Hyper-V, the native hypervisor included with Windows Server. The flaw allows an unauthenticated remote attacker to exhaust host resources and disrupt virtualization services. Microsoft published the advisory as part of its October 2024 security release. The vulnerability is classified under [CWE-400] (Uncontrolled Resource Consumption) and affects multiple supported Windows Server releases that ship with Hyper-V.

Critical Impact

Successful exploitation can render Hyper-V hosts unresponsive, disrupting every guest virtual machine running on the affected host and any dependent workloads.

Affected Products

  • Microsoft Windows Server 2016
  • Microsoft Windows Server 2019
  • Microsoft Windows Server 2022 (including 23H2)

Discovery Timeline

  • 2024-10-08 - CVE-2024-43575 published to NVD
  • 2024-10-08 - Microsoft releases security update for CVE-2024-43575
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-43575

Vulnerability Analysis

The vulnerability resides in the Windows Hyper-V hypervisor stack. An unauthenticated remote attacker can trigger uncontrolled resource consumption on the host, leading to denial of service. The flaw requires no privileges and no user interaction, which broadens the population of viable attackers.

Hyper-V mediates CPU scheduling, memory allocation, and virtual device I/O for guest virtual machines. When resource accounting fails to constrain attacker-controlled inputs, the host can be driven into a state where legitimate workloads cannot make progress. Availability is the only impacted security property, but the blast radius covers every guest tenant on the host.

Root Cause

The root cause is mapped to [CWE-400] Uncontrolled Resource Consumption. Hyper-V fails to adequately bound resource usage tied to specific request patterns reachable across the network. Microsoft has not published low-level component details beyond the advisory.

Attack Vector

The attack vector is network-based with low complexity. An attacker sends crafted traffic to a reachable Hyper-V host or exposed virtualization endpoint, consuming host resources until services degrade or stop. Public exploit code is not currently available, and the CVE is not listed in the CISA Known Exploited Vulnerabilities catalog.

No verified proof-of-concept code is available. See the Microsoft Security Update CVE-2024-43575 advisory for vendor guidance.

Detection Methods for CVE-2024-43575

Indicators of Compromise

  • Sudden unresponsiveness of multiple guest virtual machines on the same Hyper-V host without a corresponding hardware fault.
  • Sustained spikes in vmms.exe and vmwp.exe CPU or memory consumption that do not correlate with planned workload changes.
  • Hyper-V-Worker and Hyper-V-Hypervisor event log entries indicating resource exhaustion, scheduling stalls, or partition errors.

Detection Strategies

  • Baseline normal hypervisor resource utilization and alert on deviations in host CPU ready time, non-paged pool growth, and VMBus message rates.
  • Correlate Windows Event Logs from the Microsoft-Windows-Hyper-V-* channels with network telemetry to identify traffic preceding host degradation.
  • Hunt for repeated connections from untrusted sources to management interfaces, live migration ports, and replica endpoints.

Monitoring Recommendations

  • Monitor TCP ports associated with Hyper-V management and replication (for example, 5985, 5986, 80, 443, 6600) for anomalous request volumes.
  • Track guest health probes and cluster heartbeat failures as early indicators of host saturation.
  • Forward Hyper-V operational logs to a centralized SIEM for retention and cross-host correlation.

How to Mitigate CVE-2024-43575

Immediate Actions Required

  • Apply the October 2024 Microsoft security updates to all Windows Server 2016, 2019, 2022, and 2022 23H2 hosts running Hyper-V.
  • Inventory every Hyper-V host and verify patch deployment status through Windows Update for Business, WSUS, or Configuration Manager.
  • Restrict network access to Hyper-V management and replication endpoints so that only administrative networks can reach them.

Patch Information

Microsoft addressed CVE-2024-43575 in its October 8, 2024 Patch Tuesday release. Administrators should consult the Microsoft Security Update CVE-2024-43575 page for the specific KB articles applicable to each affected Windows Server build and install the corresponding cumulative update.

Workarounds

  • Segment Hyper-V hosts onto dedicated management VLANs and enforce firewall rules that block untrusted sources from reaching hypervisor services.
  • Disable Hyper-V Replica and other optional network-facing features on hosts that do not require them until patches are applied.
  • Enforce host-based firewall policies that restrict inbound traffic to known administrative jump hosts and cluster peers.
bash
# Configuration example: restrict Hyper-V Replica listener to trusted subnet
New-NetFirewallRule -DisplayName "Hyper-V Replica HTTPS - Trusted Only" `
  -Direction Inbound -Action Allow -Protocol TCP -LocalPort 443 `
  -RemoteAddress 10.10.20.0/24 -Program "%SystemRoot%\System32\vmms.exe"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.