Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-21247

CVE-2026-21247: Windows 10 1607 Hyper-V RCE Vulnerability

CVE-2026-21247 is a remote code execution vulnerability in Windows Hyper-V on Windows 10 1607 caused by improper input validation. Authorized attackers can exploit this flaw to execute arbitrary code locally.

Updated:

CVE-2026-21247 Overview

CVE-2026-21247 is a local code execution vulnerability in Windows Hyper-V caused by improper input validation [CWE-20]. An authorized attacker with low privileges on a guest virtual machine can execute arbitrary code on the host after a user interaction. Microsoft has published an advisory covering supported Windows 10, Windows 11, and Windows Server releases that ship the Hyper-V role. The flaw affects confidentiality, integrity, and availability of the affected host.

Critical Impact

Successful exploitation lets an authorized local attacker break out of expected Hyper-V input handling boundaries and execute code on the host, undermining virtualization-based isolation.

Affected Products

  • Microsoft Windows 10 (versions 1607, 1809, 21H2, 22H2) on x64
  • Microsoft Windows 11 (versions 23H2, 24H2, 25H2) on x64 and ARM64
  • Microsoft Windows Server 2016, 2019, 2022, 2022 23H2, and 2025

Discovery Timeline

  • 2026-02-10 - CVE-2026-21247 published to the National Vulnerability Database
  • 2026-02-11 - Last updated in NVD database

Technical Details for CVE-2026-21247

Vulnerability Analysis

The vulnerability resides in the Windows Hyper-V virtualization stack. Hyper-V fails to properly validate input data crossing the guest-to-host boundary. An authorized attacker who controls a guest virtual machine can submit crafted input that the Hyper-V components on the host process without adequate validation.

The CWE-20 classification indicates the root weakness is missing or insufficient checks on attacker-controlled data. Successful exploitation results in code execution on the host with the privileges of the affected Hyper-V component. This breaks the trust boundary that virtualization is designed to enforce.

The attack requires local access, low privileges, and user interaction. The local attack vector reflects that the attacker must already operate inside a guest VM authorized on the host. The user interaction requirement suggests that a host-side user action helps trigger the vulnerable code path.

Root Cause

The root cause is improper input validation in a Hyper-V component that processes guest-supplied data. The component accepts data structures or parameters from a guest without enforcing the expected type, range, or size constraints. Malformed input then drives the host code into an unsafe state that leads to code execution.

Attack Vector

An attacker authenticated to a guest VM constructs malicious input that targets the Hyper-V interface exposed to the guest. The input bypasses validation logic on the host. When a privileged user interacts with the affected workflow, the host executes attacker-controlled code. The result is a guest-to-host escape that violates the isolation contract between virtual machines and the hypervisor.

No public proof-of-concept code is currently available for CVE-2026-21247. See the Microsoft CVE-2026-21247 Advisory for vendor technical details.

Detection Methods for CVE-2026-21247

Indicators of Compromise

  • Unexpected child processes spawned by Hyper-V host services such as vmms.exe or vmwp.exe
  • Hyper-V worker process crashes or abnormal restarts correlated with guest VM activity
  • New or modified binaries on the host filesystem written shortly after VM interaction
  • Anomalous outbound network connections originating from Hyper-V host processes

Detection Strategies

  • Monitor parent-child process relationships for Hyper-V host binaries and alert on deviations from baseline
  • Correlate Windows Event Log entries from the Microsoft-Windows-Hyper-V-Worker and Hyper-V-Hypervisor channels with guest VM events
  • Apply behavioral analytics to flag VM worker processes performing file writes, registry edits, or process creation outside expected patterns

Monitoring Recommendations

  • Track installation status of the February 2026 security updates across all Hyper-V hosts
  • Enable PowerShell and command-line process auditing on host systems to capture post-exploitation activity
  • Review guest VM administrator activity, focusing on accounts that should not have legitimate need to invoke unusual host-facing Hyper-V operations

How to Mitigate CVE-2026-21247

Immediate Actions Required

  • Apply the Microsoft security update referenced in the Microsoft CVE-2026-21247 Advisory to all affected Hyper-V hosts
  • Inventory Windows Server and Windows client systems running the Hyper-V role and prioritize patching of hosts running untrusted or multi-tenant workloads
  • Restrict guest VM administrative access to trusted users only and review recent guest privilege grants

Patch Information

Microsoft has released security updates addressing CVE-2026-21247 for Windows 10 (1607, 1809, 21H2, 22H2), Windows 11 (23H2, 24H2, 25H2), and Windows Server (2016, 2019, 2022, 2022 23H2, 2025). Refer to the Microsoft CVE-2026-21247 Advisory for the specific KB articles applicable to each Windows version and channel.

Workarounds

  • No vendor-supplied workarounds are documented; apply the official patch as the primary remediation
  • Where patching must be delayed, isolate untrusted guest VMs onto dedicated hosts and limit which accounts can administer those guests
  • Reduce the population of users on Hyper-V hosts who can interact with VM consoles to lower the chance of triggering the user-interaction requirement

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne