CVE-2026-42972 Overview
CVE-2026-42972 is an information disclosure vulnerability in Windows Hyper-V. The flaw allows an authorized local attacker to access sensitive information that should remain isolated within the hypervisor boundary. Microsoft published the advisory on June 9, 2026, and the issue is tracked under [CWE-200] Exposure of Sensitive Information to an Unauthorized Actor.
The vulnerability affects a broad range of Windows client and server releases that ship Hyper-V components, including Windows 10, Windows 11, and Windows Server editions from 2012 through 2025. Exploitation requires local access and low-privilege authentication on the host or guest, but no user interaction.
Critical Impact
An authenticated local attacker can disclose confidential data from Hyper-V memory or virtualization structures, potentially exposing cross-tenant information on shared virtualization hosts.
Affected Products
- Microsoft Windows 10 (versions 1607, 1809, 21H2, 22H2)
- Microsoft Windows 11 (versions 23H2, 24H2, 25H2, 26H1) on x64 and ARM64
- Microsoft Windows Server 2012, 2012 R2, 2016, 2019, 2022, and 2025
Discovery Timeline
- 2026-06-09 - CVE-2026-42972 published to NVD
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2026-42972
Vulnerability Analysis
The vulnerability resides in Windows Hyper-V, the Microsoft Type-1 hypervisor responsible for partitioning physical hardware into isolated virtual machines. Hyper-V enforces a security boundary between the root partition and guest partitions, and between guests on the same host. CVE-2026-42972 weakens that boundary by exposing sensitive information to an unauthorized actor through the hypervisor stack.
A successful attack discloses information from process memory, hypervisor data structures, or virtual machine state. The flaw does not modify data or affect availability, so impact is restricted to confidentiality. On multi-tenant virtualization hosts, the leaked data can include cryptographic material, kernel pointers useful for follow-on exploitation, or content belonging to other workloads on the same physical host.
Root Cause
The root cause aligns with [CWE-200]: a Hyper-V component returns or exposes data without enforcing the access control checks required to protect it. This typically occurs when uninitialized memory, kernel pointers, or guest-accessible buffers are returned across the hypervisor boundary without proper sanitization or masking.
Attack Vector
Exploitation requires local access with low privileges. An attacker authenticated to a guest virtual machine, or to the host with a standard user account, can interact with Hyper-V interfaces and observe disclosed data. No user interaction is required, and the attack does not cross a network boundary. The EPSS score of 0.07% (21.5 percentile) indicates low near-term exploitation probability, and no public proof-of-concept code is currently available.
Verified exploitation code is not publicly available. Refer to the Microsoft CVE-2026-42972 Advisory for technical detail released by the vendor.
Detection Methods for CVE-2026-42972
Indicators of Compromise
- No public indicators of compromise have been published for CVE-2026-42972 as of the advisory date.
- Information disclosure exploitation rarely produces file-system artifacts, so behavioral telemetry is the primary signal source.
Detection Strategies
- Audit Hyper-V management interface calls (hvcall, vmwp.exe, vmms.exe) from low-privilege guest processes that do not normally interact with virtualization APIs.
- Correlate repeated hypercalls or unusual IOCTL patterns against Hyper-V virtual devices with the source user context to identify reconnaissance.
- Track new local accounts gaining access to Hyper-V hosts and review their process activity for memory inspection tooling.
Monitoring Recommendations
- Forward Hyper-V-Worker, Hyper-V-Hypervisor, and Hyper-V-VMMS event logs to a central SIEM for longitudinal analysis.
- Monitor for unexpected loads of debugging or memory-introspection drivers on Hyper-V hosts.
- Singularity Endpoint can collect Windows process and event telemetry from Hyper-V hosts and feed it into Singularity Data Lake for correlation and threat hunting.
How to Mitigate CVE-2026-42972
Immediate Actions Required
- Apply the June 2026 Microsoft security updates referenced in the Microsoft CVE-2026-42972 Advisory to every affected host.
- Inventory Hyper-V hosts across the estate, including Windows Server 2012 systems that may require extended support updates.
- Restrict interactive and remote logon to Hyper-V hosts to a minimum set of administrators.
- Review guest workloads on shared hosts and prioritize patching for systems hosting sensitive or multi-tenant data.
Patch Information
Microsoft has released cumulative security updates for all supported Windows 10, Windows 11, and Windows Server versions listed in the advisory. Administrators should consult the Microsoft CVE-2026-42972 Advisory for the specific KB article applicable to each operating system build and install it through Windows Update, WSUS, or the Microsoft Update Catalog.
Workarounds
- No official workarounds have been published. Patching remains the only supported remediation.
- Where patching is delayed, limit local logon rights on Hyper-V hosts and reduce the number of co-tenant guests on a single host.
- Disable the Hyper-V role on systems that do not require virtualization until updates can be applied.
# Verify the installed cumulative update on a Windows host
Get-HotFix | Sort-Object -Property InstalledOn -Descending | Select-Object -First 10
# List Hyper-V hosts and current build for patch tracking
Get-WmiObject Win32_OperatingSystem | Select-Object CSName, Caption, Version, BuildNumber
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
