Description
Use after free in Windows Hyper-V allows an unauthorized attacker to elevate privileges locally.
Published: 2026-05-12
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a use‑after‑free bug in the Windows Hyper‑V hypervisor that allows an attacker who can execute code on the host to read or modify memory that has already been freed, thereby elevating privileges. The weakness is identified as CWE‑416 and could compromise the confidentiality, integrity and availability of the host from the perspective of an attacker with local access.

Affected Systems

Affected machines include Microsoft Windows 11 versions 23H2 and 22H3 as well as Microsoft Windows Server 2022. The bug resides in the Hyper‑V component shipped with those releases for both arm64 and x64 architectures on Windows 11 23H2, and for all architectures on Windows Server 2022.

Risk and Exploitability

The CVSS score of 9.3 indicates a critical severity, and the EPSS score is not currently available, meaning no publicly observed exploitation data exists. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be local because the description indicates an unauthorized attacker with local access to the host, and exploitation requires interaction with the Hyper‑V infrastructure which typically runs in kernel mode. Attackers could exploit this by leveraging privileged Hyper‑V guest or service processes, thus elevating privileges to SYSTEM level.

Generated by OpenCVE AI on May 12, 2026 at 19:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Windows security update that addresses CVE‑2026‑40402 through Windows Update or the Microsoft Update Catalog.
  • If a cumulative update containing the fix has not yet been released for the affected builds, plan to apply it as soon as it becomes available for Windows 11 23H2, 22H3, or Windows Server 2022.
  • If Hyper‑V functionality is not required in the environment, disable the Hyper‑V role to reduce the attack surface.
  • Enforce least privilege for local accounts and restrict or monitor privileged processes that interact with Hyper‑V to detect potential misuse.

Generated by OpenCVE AI on May 12, 2026 at 19:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 15:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:x64:*

Wed, 13 May 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft windows 11 22h3
Microsoft windows 11 23h2
Vendors & Products Microsoft windows 11 22h3
Microsoft windows 11 23h2

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Use after free in Windows Hyper-V allows an unauthorized attacker to elevate privileges locally.
Title Windows Hyper-V Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft windows 11 23h2
Microsoft windows Server 2022
Weaknesses CWE-416
CPEs cpe:2.3:o:microsoft:windows_11_23H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_23H2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft windows 11 23h2
Microsoft windows Server 2022
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Windows 11 22h3 Windows 11 23h2 Windows 11 23h2 Windows Server 2022
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-09T18:09:05.618Z

Reserved: 2026-04-13T00:27:50.798Z

Link: CVE-2026-40402

cve-icon Vulnrichment

Updated: 2026-05-13T09:58:33.094Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T18:17:18.000

Modified: 2026-05-15T15:23:40.807

Link: CVE-2026-40402

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T10:00:10Z

Weaknesses