Local Hyper‑V Heap Overflow (CVE‑2026‑21248) Enables Ring‑1 Code Execution on Windows 11 25H2
What Happened — A public exploit (EDB‑52537) demonstrates a heap‑based buffer overflow in the Hyper‑V VMBus GPADL allocation path of Windows 11 25H2 (build 26200.7830). An attacker with Hyper‑V Administrator privileges can mount a malicious .VHDX file to execute arbitrary code at the hypervisor level (Ring‑1).
Why It Matters for TPRM —
- The flaw bypasses Microsoft’s “no‑privilege” claim, exposing a privileged‑escalation path that can be leveraged against any tenant running Hyper‑V on Windows 11.
- Existing vulnerability scanners often miss the overflow, giving a false sense of security for managed services and cloud‑hosted workloads.
- Successful exploitation can subvert telemetry, persist malicious hypervisor code, and potentially affect downstream customers in a supply‑chain scenario.
Who Is Affected — Enterprises and service providers that run Windows 11 25H2 with Hyper‑V enabled (e.g., MSPs, cloud‑hosted VDI, on‑premises labs).
Recommended Actions —
- Verify that all Windows 11 25H2 hosts are patched to build 26200.7840 or later.
- Audit Hyper‑V Administrator accounts; enforce least‑privilege and MFA.
- Augment scanning rules to include the specific VMBus GPADL overflow test.
- Consider temporary disabling of Hyper‑V on systems that do not require it.
Technical Notes —
- Attack vector: Local privilege escalation via crafted .VHDX (VULNERABILITY_EXPLOIT).
- CVEs: CVE‑2026‑21248, CVE‑2026‑21244 (heap overflow in Hyper‑V).
- Impact: Code execution at Ring‑1, persistence via
hvax64.exe, telemetry disruption. - Mis‑representation: Microsoft’s CVSS vector listed “No privileges required” (PR:N) – the exploit proves the requirement is “Low privileges” (PR:L).
Source: Exploit‑DB 52537