Windows Hyper-V Remote Code Execution Vulnerability

Plan PatchCVSS 7.3CVE-2026-32149Apr 14, 2026

Microsoft

IT in OT - Windows Server and Active Directory are widely deployed in OT environments

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

Improper input validation in Windows Hyper-V allows an authorized local attacker to execute code on the Hyper-V host system. The vulnerability requires local access and user interaction; a local user account holder can trigger the flaw through the Hyper-V interface or API to run arbitrary code with Hyper-V privileges, potentially compromising the host or virtual machines.

What this means

What could happen

An attacker with local access to a Hyper-V host machine could run arbitrary code with the privileges of the Hyper-V process, potentially compromising virtual machines or the host system itself.

Who's at risk

Windows Server administrators managing Hyper-V virtualized environments, particularly those running Windows Server 2016, 2019, 2022, or 2025, or Windows 10/11 systems with Hyper-V enabled for infrastructure or development workloads.

How it could be exploited

An attacker with a local user account on the Hyper-V host can trigger improper input validation in the Hyper-V component through a local interaction (UI or API), allowing code execution. This requires the attacker to have legitimate logon access to the host system.

Prerequisites

Local user account on the Hyper-V host system
User interaction required (the attacker must trigger a specific action in the Hyper-V UI or API)

Low complexityRequires local user accountRequires user interactionAffects virtualization platformLow exploit probability (0.1% EPSS)

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (21)

21 with fix

ProductAffected VersionsFix Status

Windows 11 Version 26H1 for ARM64-based SystemsAll versionsBuild 10.0.28000.1836

Windows 11 version 26H1 for x64-based SystemsAll versionsBuild 10.0.28000.1836

Windows 10 Version 1809 for x64-based SystemsAll versionsBuild 10.0.17763.8644

Windows Server 2019All versionsBuild 10.0.17763.8644

Windows Server 2019 (Server Core installation)All versionsBuild 10.0.17763.8644

Remediation & Mitigation

0/3

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

Windows Server 2016

HOTFIXApply the April 2026 Windows security update to all affected systems (Windows 10, Windows 11, Windows Server 2016, 2019, 2022, 2025)

Long-term hardening

0/2

HARDENINGRestrict local logon privileges on Hyper-V hosts to trusted administrative users only

HARDENINGReview and audit local user accounts on Hyper-V host systems to remove unnecessary access

CVEs (1)

CVE-2026-32149

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a75696f4-9b71-46c7-b204-e947bf0d002a

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.