CVE-2024-38080

What is Windows Hyper-V?

Hyper-V is Microsoft's native hypervisor built into Windows, providing hardware virtualization for running multiple virtual machines on a single host. It is a core component of Windows Server environments and is also included in Windows 10/11 Pro and Enterprise editions. Hyper-V operates at the highest privilege level (ring -1 / VMX root mode) and manages memory, CPU, and device access for all guest VMs. Vulnerabilities in the Hyper-V host component are high-value targets because they can allow a low-privileged process on the host — or in some scenarios a guest VM — to gain complete control of the underlying hardware.

Overview

CVE-2024-38080 is an integer overflow vulnerability in Windows Hyper-V that allows a local attacker with standard user privileges to escalate to SYSTEM on the Hyper-V host. Microsoft and CISA simultaneously disclosed this as a zero-day on July 9, 2024 (July Patch Tuesday), confirming active exploitation before the patch was available. The same-day KEV addition indicates the vulnerability was being used in real attacks at the time of disclosure.

Affected Versions

Technical Details

CWE-190 (Integer Overflow or Wraparound). The Hyper-V driver contains an integer overflow in a size calculation used during memory management operations. When an arithmetic operation on a size or count value overflows the integer type, the resulting undervalued size is used to allocate a buffer — creating a heap buffer that is smaller than expected. Subsequent writes into this undersized buffer overflow it, corrupting adjacent kernel heap memory. The controlled corruption is then used to overwrite kernel data structures (such as security tokens or privilege attributes) to escalate the attacker's process to SYSTEM.

Because the attack vector is Local (AV:L) with Low privilege required (PR:L) and Low complexity (AC:L), this is an ideal privilege escalation primitive — a low-privilege user or process on the host can reliably escalate to SYSTEM without requiring timing-dependent race conditions.

Discovery

Confirmed as a zero-day by Microsoft's simultaneous Patch Tuesday and CISA KEV addition. No public researcher attribution was provided at the time of disclosure, consistent with Microsoft's convention when the discoverer requested anonymity or was identified internally.

Exploitation Context

Hyper-V LPE vulnerabilities are particularly valuable in post-exploitation scenarios where an attacker has already gained a foothold as a low-privilege user on a Hyper-V host. A large proportion of enterprise Windows Server deployments run Hyper-V, and gaining SYSTEM on a Hyper-V host provides full access to all hosted virtual machines, their disk images, and any credentials or sensitive data they contain. This makes Hyper-V host compromise a high-impact step in ransomware and espionage campaigns targeting virtualized infrastructure.

Remediation

1. Apply the July 2024 Windows security updates (Patch Tuesday, July 9, 2024) to all Hyper-V hosts immediately.
2. Restrict interactive logon to Hyper-V hosts — only privileged administrators should have local or RDP access to host machines; regular users should not have any logon rights on virtualization hosts.
3. Enable virtualization-based security (VBS) and Hypervisor-Protected Code Integrity (HVCI) on supported hardware — these reduce the exploitability of kernel-level memory corruption by enforcing kernel code integrity.
4. Monitor Hyper-V hosts for unusual SYSTEM-level process creation or privilege changes that may indicate post-exploitation activity.