CVE-2026-40402

Daily digests

A use-after-free bug in Windows Hyper-V lets an unauthenticated local attacker escalate privileges. CVSS 9.3 is unusually high for a local bug, which likely means a guest-to-host escape. If you run Hyper-V, a compromised VM could break out and own the host.

• Patch Tuesday · May 13, 2026

  Patch Tuesday May 2026: DNS + Netlogon at 9.8, 19 more