This vulnerability is an out‑of‑bounds read in the Hyper‑V virtualization stack that can be triggered by an attacker with local access. The flaw is classified as CWE‑843, an improper array bounds checking weakness, and if successfully exploited it would allow the attacker to execute arbitrary code with the privileges of the Hyper‑V service. The impact is a full compromise of the local system if the attacker is able to run code within the hypervisor context.

Affected Microsoft products include Windows 10 versions 21H2 and 22H2, Windows 11 versions 23H2, 24H2, 25H2, and 26H1, and Windows Server builds 2022 and 2025, including Server Core installations. The issue is specific to the Hyper‑V component present on these operating systems.

The CVSS score of 8.4 indicates high severity and the vulnerability is not listed in CISA’s KEV catalog. EPSS data is not available, so the likelihood of exploitation is currently unknown. The condition for exploitation is local access; the attacker must be able to execute code on the target machine or obtain privileged access to interact with Hyper‑V’s interfaces. Once triggered, the attacker can gain control of the host system with full privileges, potentially enabling further lateral movement.