Skip to content
Threat Feed
critical threat

CVE-2026-40402 - Windows Hyper-V Use-After-Free Privilege Escalation

CVE-2026-40402 is a use-after-free vulnerability in Windows Hyper-V, enabling an unauthorized local attacker to escalate privileges.

CVE-2026-40402 is a critical use-after-free vulnerability affecting Windows Hyper-V. This flaw allows an attacker with local access to the system to escalate their privileges. The vulnerability stems from improper memory management within the Hyper-V component, potentially leading to exploitation where freed memory is accessed again. Successful exploitation could allow an attacker to gain elevated privileges on the system, potentially leading to complete system compromise. Defenders need to apply the patch released by Microsoft to mitigate this threat and prevent potential exploitation.

Attack Chain

  1. An attacker gains initial local access to the target Windows system.
  2. The attacker crafts a malicious Hyper-V request designed to trigger the use-after-free vulnerability.
  3. The crafted request interacts with the vulnerable Hyper-V component, leading to memory corruption.
  4. The Hyper-V service attempts to access previously freed memory.
  5. The attacker leverages the use-after-free condition to execute arbitrary code.
  6. The attacker’s code executes with elevated privileges within the Hyper-V environment.
  7. The attacker leverages their elevated privileges within Hyper-V to compromise the host operating system.
  8. The attacker achieves complete control over the system, enabling activities like data exfiltration, malware installation, or further lateral movement.

Impact

Successful exploitation of CVE-2026-40402 allows a local attacker to escalate privileges on the affected Windows system. This can lead to a complete system compromise, including unauthorized data access, modification, or destruction. Given the widespread use of Hyper-V in both enterprise and personal environments, this vulnerability poses a significant risk.

Recommendation

  • Apply the security update provided by Microsoft to patch CVE-2026-40402 on all Windows systems running Hyper-V immediately.
  • Enable process creation logging to capture events related to potential exploitation attempts.
  • Deploy the Sigma rules provided in this brief to your SIEM to detect potential exploitation attempts related to CVE-2026-40402.
  • Monitor for unexpected or unauthorized activity within the Hyper-V environment after patching.

Detection coverage 2

Detects CVE-2026-40402 Exploitation — Hyper-V Vmcompute.exe Suspicious Child Processes

high

Detects CVE-2026-40402 exploitation — Monitors for unusual child processes spawned by vmcompute.exe, which could indicate an attempt to escalate privileges via a use-after-free vulnerability.

sigma tactics: privilege_escalation techniques: T1068 sources: process_creation, windows

Detects CVE-2026-40402 Exploitation — Hyper-V Service Creation with Suspicious Binaries

medium

Detects CVE-2026-40402 exploitation — Detects the creation of new Windows services pointing to unusual or non-standard binary locations, potentially indicating unauthorized code execution after a privilege escalation.

sigma tactics: persistence, privilege_escalation techniques: T1068, T1543.003 sources: registry_set, windows

Detection queries are available on the platform. Get full rules →