CVE-2020-1040

CVSS 9 CRITICALEPSS 6.9%● KEVCWE-20

In short

A flaw in Hyper-V RemoteFX vGPU allows a user on a virtual machine to execute arbitrary code on the host server by sending specially crafted input that is not properly validated. This is critical because it breaks the isolation between virtual machines and the host.

Technical detail

The vulnerability exists in RemoteFX vGPU input validation on the host; an authenticated guest OS user can send malformed requests that bypass validation checks, achieving unauthenticated remote code execution on the hypervisor. Attack surface is limited to environments with RemoteFX vGPU enabled and guest-to-host communication channels.

Summary generated and translated by AI from the official description.

A remote code execution vulnerability exists when Hyper-V RemoteFX vGPU on a host server fails to properly validate input from an authenticated user on a guest operating system, aka 'Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-1032, CVE-2020-1036, CVE-2020-1041, CVE-2020-1042, CVE-2020-1043.

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Affected products

Microsoft · Windows Server

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://nvidia.custhelp.com/app/answers/detail/a_id/5044 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1040 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-1040