Executive Summary \r\n \r\n \r\n Guardicore Labs, in collaboration with SafeBreach Labs, found a critical vulnerability in Hyper-V’s virtual network switch driver (vmswitch.sys). \r\n \r\n Hyper-V serves as the underlying virtualization technology for Azure — Microsoft’s public cloud. \r\n \r\n The vulnerability allows for both remote code execution and denial of service. Exploiting it allowed an attacker with an Azure virtual machine to take down whole regions of the cloud, as well as run arbitrary code on the Hyper-V host. \r\n \r\n The vulnerability first appeared in a vmswitch build from August 2019, suggesting this bug may have been in production for more than a year and a half. \r\n \r\n In May 2021, Microsoft assigned the vulnerability CVE-2021-28476 with a CVSS score of 9.9 and released a patch for it. \r\n \r\n The vulnerability was found by Guardicore’s Ophir Harpaz and SafeBreach’s Peleg Hadar using an in-house developed fuzzer named hAFL1 .…