CVE-2026-57092: Patch Hyper-V VMSwitch Privilege Escalation

Microsoft’s July 2026 security updates fix CVE-2026-57092, a critical Windows VMSwitch elevation-of-privilege vulnerability with a CVSS 3.1 score of 9.9. The flaw affects Hyper-V networking components across supported Windows client and server releases, and its practical importance is concentrated in environments where virtual machines share a Hyper-V host.
Microsoft’s advisory, published July 14, describes the issue as a use-after-free vulnerability in Windows VMSwitch that lets an authorized attacker elevate privileges over a network. The National Vulnerability Database records the same CVSS vector: network reachable, low attack complexity, no user interaction, but requiring low privileges. That combination makes this an urgent patching case for Hyper-V hosts—not a vulnerability to leave for the next routine maintenance cycle.
The Cyber Security Agency of Singapore also lists CVE-2026-57092 among the critical July Microsoft vulnerabilities, with the same 9.9 score. Microsoft has not publicly released technical exploit details, proof-of-concept code, or an indication that the flaw is being exploited in the wild.

Cybersecurity scene showing Hyper-V virtual machines, a vulnerable vSwitch, cloud threats, and patch monitoring.The risk sits at the virtual network boundary​

Windows VMSwitch is the Hyper-V Virtual Switch: the software-based Layer 2 switching component that connects virtual machines to one another, to host resources, and to physical networks. Microsoft’s Hyper-V documentation places the switch in the management operating system of the parent partition, precisely where guest networking meets host-side virtualization infrastructure.
That placement explains the severity. This is not simply a bug in a guest application or a networking feature used by a single Windows PC. A successful exploit could potentially turn control from a low-privileged position reachable through a virtualized network path into control with much broader rights, affecting confidentiality, integrity, and availability beyond the initially compromised context.
The CVSS vector is especially notable:
  • The vulnerability is rated network-accessible and low complexity, with no user interaction required.
  • It still requires an attacker to be authorized, represented by the PR:L low-privileges requirement.
  • The score includes scope change, meaning the vulnerable component and the impacted security authority are treated as distinct boundaries.
  • Microsoft’s CVE record identifies CWE-416, the common weakness category for a use-after-free memory-safety flaw.
That does not mean every Windows machine on a corporate LAN is remotely exposed. The product affected is VMSwitch, so the immediate focus belongs on Hyper-V hosts and devices where Hyper-V virtualization is enabled and in use. Nor does “over a network” erase the low-privilege prerequisite. It does, however, make a vulnerable virtualized environment materially different from the more familiar local-only Windows privilege-escalation bug.
For administrators running multi-tenant virtualization, development labs, CI infrastructure, virtual desktop workloads, or systems that allow less-trusted users to operate workloads inside VMs, the distinction matters. In those environments, a low-privilege foothold is an assumption security teams often make—not an adequate safety barrier.

The patch list reaches farther than current Windows releases​

Microsoft’s affected-product record covers an unusually broad span of Windows releases. The list includes Windows 10 versions 1607, 1809, 21H2, and 22H2; Windows 11 versions 24H2, 25H2, and 26H1; and Windows Server 2012 through Windows Server 2025, including Server Core installations where applicable.
The supplied fixed-build thresholds show why inventory accuracy matters. Microsoft marks the following builds as vulnerable when they are below the stated version:
PlatformMinimum addressed build
Windows 10 1607 / Windows Server 201614393.9339
Windows 10 1809 / Windows Server 201917763.9020
Windows 10 21H2 and 22H219044.7548 / 19045.7548
Windows 11 24H226100.8875
Windows 11 25H226100.8875
Windows 11 26H128000.2525
Windows Server 202220348.5386
Windows Server 202526100.33158
The apparent Windows 11 25H2 threshold deserves a verification step in enterprise tooling rather than blind interpretation. Microsoft’s record presents 25H2 as build 26200 but uses 26100.8875 as the remediation threshold, which may reflect the servicing relationship between releases. Administrators should validate actual installed cumulative updates and deployment applicability through Microsoft Update, Windows Update for Business, WSUS, Configuration Manager, or their endpoint-management platform.
Older server versions remain prominent in the advisory. Windows Server 2012 and Windows Server 2012 R2 are included with fixed builds 9200.26226 and 9600.23291 respectively, an important reminder that extended-support servers running Hyper-V are still part of this month’s security workload.

Treat Hyper-V hosts as the priority ring​

The correct response is to prioritize based on the presence and use of the Hyper-V role, rather than treating every endpoint as equally exposed. A Windows 11 workstation with Hyper-V installed for local development deserves timely patching; a Windows Server 2025 host carrying production VMs, connected to externally reachable networks, deserves accelerated change control.
Microsoft Learn describes Hyper-V as a type-1 hypervisor that runs directly on hardware, while the extensible switch connects VM adapters to the parent partition’s networking stack. In production, that means patch validation must cover more than whether a cumulative update installs successfully. Teams should account for host reboots, live-migration capacity, cluster maintenance mode, backup windows, and any network virtual appliances or third-party virtual switch extensions bound into the affected stack.
A practical response should include the following:
  • Identify every Windows Server and Windows client where the Hyper-V role, Hyper-V feature set, or Hyper-V-based services are enabled.
  • Prioritize hosts that run untrusted, customer-operated, development, test, or internet-facing guest workloads.
  • Deploy the July 2026 Windows security updates through an expedited ring where ordinary deferrals would materially delay protection.
  • Reboot patched hosts and confirm their cumulative-update build number rather than relying only on deployment-success reporting.
  • Test cluster networking, VM connectivity, live migration, and any installed NDIS or Windows Filtering Platform switch extensions after rollout.
  • Restrict administrative and tenant access paths to Hyper-V hosts while the deployment is underway.
Microsoft’s Intune guidance says expedited quality-update policies can bypass normal deferral settings for supported Windows security updates. That makes them appropriate here for managed Windows 10 and Windows 11 devices, particularly developer workstations that run Hyper-V, Windows Sandbox, Windows Subsystem for Linux 2, or local virtual test environments. Server estates using WSUS, Configuration Manager, Azure Update Manager, or another patch platform will need an equivalent accelerated deployment process.

“No known exploitation” is not a reason to defer​

CISA’s SSVC enrichment for the CVE currently classifies exploitation as “none” and automation as “no,” while recording potential technical impact as “total.” Those fields are valuable prioritization signals, but they are a snapshot of public evidence on July 15, 2026—not a prediction that exploit development will not follow.
Microsoft has confirmed the vulnerability, assigned a critical score, and issued updates. That gives defenders enough certainty to act even though the company has not published exploit mechanics. The absence of a public proof of concept is useful breathing room, not a mitigation.
For security teams, this flaw belongs in the same operational category as other virtualization-boundary defects: patch early, narrow exposure while rollout proceeds, and validate the host layer carefully. A compromise of an ordinary guest workload is painful; a path that could expand privileges through the host’s virtual switching layer changes the potential blast radius.
The next milestone is not additional commentary from Microsoft. It is confirming that every Hyper-V host has crossed its applicable July 2026 build threshold, rebooted cleanly, and returned to service with virtual networking intact.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Related coverage: aha.org
  3. Official source: learn.microsoft.com
 

Back
Top