HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-47652Published Modified CNA microsoft

CVE-2026-47652: Windows Hyper-V Remote Code Execution Vulnerability

Out-of-bounds read in Windows Hyper-V allows an unauthorized attacker to execute code locally.

Metrics

CVSS v3.1
8.2
Severity
HIGH
Fixed in
10.0.20348.5256
Affected Products
8

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An out-of-bounds read vulnerability in Windows Hyper-V allows a local attacker with administrative privileges to execute arbitrary code. The exploit runs entirely on the local machine, requires no network access, and no victim interaction, but the attacker must already hold a high-privilege account. Successful exploitation crosses the Hyper-V isolation boundary (scope change) and grants full code execution with high confidentiality, integrity, and availability impact on the host or sibling guest partitions. Patched-image rebuilds at the fix versions are available on HarborGuard for environments running affected Windows versions.

HarborGuard Coverage

Detection

Detection for CVE-2026-47652 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI pipelines, including custom-built Windows-based container images. Coverage extends to any image derived from an affected Windows Server or Windows 11 base layer.

Available
Triage

HarborGuard triage surfaces this CVE with a CVSS v3.1 score of 8.2 (HIGH), weighted further by per-environment compliance policies that may elevate priority for workloads running privileged Windows containers. Findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

A patched-image rebuild pinned to the applicable fix version (10.0.20348.5256 for Windows Server 2022, 10.0.26100.8655 or 10.0.26100.32995 for Windows Server 2025 and Windows 11 24H2, and 10.0.22631.7219 for Windows 11 23H2) becomes available on HarborGuard as soon as the upstream base images reflecting those builds are published. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network path to the target is required.

  • AuthenticationRequired

    An admin or otherwise high-privileged account on the local system is needed to trigger the vulnerable Hyper-V code path.

  • Victim interactionNot required

    The exploit executes without any action from another user or process on the system.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no race conditions, special memory layout, or other environmental setup beyond holding the necessary privileges.

Blast Radius

  • Reads protected memory across the Hyper-V isolation boundary, exposing data from the hypervisor or other guest partitions.
  • Writes or corrupts memory outside the intended bounds, allowing modification of hypervisor state or guest partition data.
  • Can crash or destabilize the Hyper-V host process, bringing down all virtual machines running on the affected host.
  • Full code execution at the hypervisor layer means a successful attacker effectively controls the host and all workloads it manages.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is active against any image built on an affected Windows base layer, with results appearing within minutes of CVE ingestion. For environments where the base image has been updated to a fix version (10.0.20348.5256, 10.0.22631.7219, 10.0.26100.8655, 10.0.26100.32995, or 10.0.26200.8655), a patched-image rebuild becomes available automatically. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image, executes regression tests, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. For environments where an immediate base-image update is not feasible, consider restricting which accounts hold Hyper-V management privileges and auditing local administrator group membership on container hosts as a compensating control while the patched base image is validated.

See how HarborGuard automates this

Fix available

10.0.20348.525610.0.22631.721910.0.26100.865510.0.26100.3299510.0.26200.865510.0.28000.2269
Patch commits
Affected packages
  • Microsoft / Windows 11 version 23H2
    < 10.0.22631.7219 (from 10.0.22631.0)
  • Microsoft / Windows 11 Version 23H2
    < 10.0.22631.7219 (from 10.0.22631.0)
  • Microsoft / Windows 11 Version 24H2
    < 10.0.26100.8655 (from 10.0.26100.0)
  • Microsoft / Windows 11 Version 25H2
    < 10.0.26200.8655 (from 10.0.26200.0)
  • Microsoft / Windows 11 version 26H1
    < 10.0.28000.2269 (from 10.0.28000.0)
  • Microsoft / Windows Server 2022
    < 10.0.20348.5256 (from 10.0.20348.0)
  • Microsoft / Windows Server 2025
    < 10.0.26100.32995 (from 10.0.26100.0)
  • Microsoft / Windows Server 2025 (Server Core installation)
    < 10.0.26100.32995 (from 10.0.26100.0)
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
References