CVE-2026-47652 Overview
CVE-2026-47652 is an out-of-bounds read vulnerability in the Microsoft Windows Hyper-V virtualization stack. The flaw allows a local attacker with high privileges to execute code on the host system. Microsoft published the advisory on June 9, 2026, and the issue is tracked under [CWE-122] heap-based memory corruption.
The vulnerability affects multiple supported Windows 11 client builds and Windows Server releases that ship the Hyper-V role. Successful exploitation crosses a security scope boundary, meaning code triggered inside a guest context can affect the host. No public proof-of-concept or active exploitation has been reported at the time of writing.
Critical Impact
An authenticated local attacker can read out-of-bounds memory in Hyper-V and execute code on the host with scope change, breaking the guest-to-host isolation boundary.
Affected Products
- Microsoft Windows 11 versions 23H2, 24H2, 25H2, and 26H1 (x64 and ARM64)
- Microsoft Windows Server 2022
- Microsoft Windows Server 2025 (x64)
Discovery Timeline
- 2026-06-09 - CVE-2026-47652 published to the National Vulnerability Database
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2026-47652
Vulnerability Analysis
The vulnerability resides in the Windows Hyper-V hypervisor component, which mediates virtual machine operations and partitions resources between guests and the host. An out-of-bounds read condition occurs when Hyper-V processes attacker-influenced data structures without sufficient bounds validation.
Reading beyond the intended buffer exposes adjacent heap memory and can be leveraged to defeat memory layout protections. When chained with controllable allocations, the primitive can be used to redirect execution flow inside the privileged host context. The Common Weakness Enumeration assigns this class as [CWE-122] Heap-based Buffer Overflow.
The scope-changed condition is significant: code triggered from a lower-privileged virtualization context affects the higher-privileged host kernel. This breaks the isolation guarantee that customers rely on for multi-tenant or sandboxed workloads.
Root Cause
The root cause is missing or incorrect bounds checking inside a Hyper-V code path that handles guest-supplied data. Microsoft has not published source-level details. The CWE classification points to a heap-based buffer read where the size or index value used during access exceeds the allocated extent.
Attack Vector
Exploitation requires local access and high privileges on the system. An attacker with administrative rights inside a guest virtual machine, or equivalent privileged access on the host partition, can trigger the vulnerable code path. No user interaction is required. The local attack vector combined with the scope-change property makes this a guest escape primitive relevant to virtualization tenants.
No verified exploitation code is available. Readers should consult the Microsoft CVE-2026-47652 Advisory for vendor-specific technical guidance.
Detection Methods for CVE-2026-47652
Indicators of Compromise
- Unexpected Hyper-V worker process (vmwp.exe) crashes or restarts on the host partition, especially correlated with guest activity.
- Bug check events referencing the hypervisor or hvix64.sys / hvax64.sys in host kernel crash logs.
- New or unsigned drivers loaded on the host shortly after suspicious VM activity.
Detection Strategies
- Monitor Windows Event Log channel Microsoft-Windows-Hyper-V-Worker-Admin for abnormal VM exits and worker termination patterns.
- Baseline normal hypercall and VMBus traffic, then alert on guests issuing malformed or unusually frequent control requests.
- Correlate guest-side privilege escalation events with host-side process anomalies to identify guest-to-host pivot attempts.
Monitoring Recommendations
- Enable kernel and hypervisor crash dump collection on all Hyper-V hosts to support forensic analysis.
- Track patch state of hvix64.sys, vmwp.exe, and related Hyper-V binaries against the June 2026 Patch Tuesday baseline.
- Restrict and audit administrative access inside guest VMs, as the exploit prerequisite is high local privilege.
How to Mitigate CVE-2026-47652
Immediate Actions Required
- Apply the June 2026 Microsoft security updates to all Hyper-V hosts running Windows 11 23H2 through 26H1, Windows Server 2022, and Windows Server 2025.
- Inventory hosts running the Hyper-V role and prioritize patching for systems hosting multi-tenant or untrusted workloads.
- Reduce the number of accounts with local administrator rights inside guest VMs to limit exploitation prerequisites.
Patch Information
Microsoft released fixes through the Update Guide entry for this CVE. Refer to the Microsoft CVE-2026-47652 Advisory for the current cumulative update KB numbers that map to each affected Windows build. Apply the updates through Windows Update, WSUS, or your endpoint management platform and reboot to complete installation.
Workarounds
- No official workaround has been published by Microsoft; patching is the supported remediation path.
- Where patching must be delayed, disable the Hyper-V role on hosts that do not require virtualization using Disable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V.
- Enforce least privilege inside guest VMs and segregate sensitive workloads onto fully patched hosts until updates can be deployed broadly.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
