EIP-2026-115408

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-115408. PoCs published by Google Security Research.

AI-analyzed exploit summary This exploit demonstrates a heap-based buffer overflow in the RNDIS (Remote Network Driver Interface Specification) handling of the OID_802_3_MULTICAST_LIST request in Windows Hyper-V. The vulnerability arises from an integer division flaw that allows an attacker to overflow a buffer by 1 to 5 bytes, potentially leading to remote code execution in the host's kernel context.

Description

Hyper-V - 'vmswitch.sys' VmsMpCommonPvtHandleMulticastOids Guest to Host Kernel-Pool Overflow

Exploits (1)

exploitdb WORKING POC VERIFIED

by Google Security Research · cdoswindows

https://www.exploit-db.com/exploits/39713

View Code ZIP pw:eip

This exploit demonstrates a heap-based buffer overflow in the RNDIS (Remote Network Driver Interface Specification) handling of the OID_802_3_MULTICAST_LIST request in Windows Hyper-V. The vulnerability arises from an integer division flaw that allows an attacker to overflow a buffer by 1 to 5 bytes, potentially leading to remote code execution in the host's kernel context.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows Hyper-V (vmswitch.sys)

No auth needed

Prerequisites: Access to a guest VM with RNDIS network interface · Ability to send crafted RNDIS messages to the host

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Hyper-V - 'vmswitch.sys' VmsMpCommonPvtHandleMulticastOids Guest to Host Kernel-Pool Overflow

Exploitation Summary

Description

Exploits (1)

Details