CVE-2021-26443: Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability
Overview
- Severity
- Critical (CVSS 9)
- CVSS Vector
- CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
- Category
- Remote Code Execution
- Exploit Status
- Not Exploited
- Exploitation Likelihood
- Less Likely
- Patch Tuesday
- 2021-Nov
- Released
- 2021-11-09
- Last Updated
- 2021-11-12
- EPSS Score
- 0.55% (percentile: 68.0%)
FAQ
How could an attacker exploit this vulnerability?
A remote code execution vulnerability exists when a VM guest fails to properly handle communication on a VMBus channel. To exploit the vulnerability, an authenticated attacker could send a specially crafted communication on the VMBus channel from the guest VM to the Host. An attacker who successfully exploited the vulnerability could execute arbitrary code on the host operating system.
Does this update need to be applied to Hyper-V guest virtual machines?
If the guest VM is running nested VMs, then this machine becomes a host and is vulnerable to CVE-2021-26443 and the update will need to be applied to mitigate this vulnerability. If the Guest VM is not running nested VMs then the Guest VM is not vulnerable to CVE-2021-26443.
** Is my system at risk to CVE-2021-26443 if Hyper-V is not enabled?**
No.
From a Guest and Host perspective does CVE-2021-26443 only apply to OS running Hyper-V
Yes
Affected Products (11)
Windows
- Windows 10 Version 1809 for x64-based Systems
- Windows Server 2019
- Windows Server 2019 (Server Core installation)
- Windows 10 Version 1909 for x64-based Systems
- Windows 10 Version 21H1 for x64-based Systems
- Windows Server 2022
- Windows Server 2022 (Server Core installation)
- Windows 10 Version 2004 for x64-based Systems
- Windows Server, version 2004 (Server Core installation)
- Windows Server, version 20H2 (Server Core Installation)
- Windows 11 version 21H2 for x64-based Systems
Security Updates (5)
Acknowledgments
Wei in Kunlun lab
Revision History
- 2021-11-09: Information published.
- 2021-11-12: Added FAQ information. This is an informational change only.