CVE-2023-36427
Hyper-V / NT Kernel -- arbitrary physical memory corruption via Intel HFI MSR abuse
Summary
| Field | Value |
|---|---|
| Driver | ntoskrnl.exe (Hyper-V root partition) |
| Vulnerability Class | Arbitrary Memory Corruption |
| Exploited ITW | No |
| CVSS | 7.0 |
Root Cause
Windows mishandles the Intel Hardware Feedback Interface (HFI) MSRs in the root partition of a Hyper-V configuration. Kernel-mode code in the root partition can write to IA32_HW_FEEDBACK_PTR and IA32_HW_FEEDBACK_CONFIG MSRs, which control where the CPU writes hardware feedback data.
By pointing IA32_HW_FEEDBACK_PTR at an arbitrary physical address and then enabling feedback via IA32_HW_FEEDBACK_CONFIG, the CPU writes hardware feedback data directly to the chosen physical page -- regardless of EPT (Extended Page Table) protections. This bypasses Hyper-V's memory isolation, allowing corruption of arbitrary physical pages from the root partition.
Discovered by tandasat, who published a full report and exploit on GitHub.
Exploitation
The attacker (running as admin in the root partition) sets the HFI pointer MSR to the physical address of a target page -- for example, a page containing hypervisor data structures or a guest partition's memory. Enabling the HFI then causes the CPU to overwrite bytes at that physical address with hardware feedback data, corrupting the target. The corruption is limited to the HFI data format, but the target address is fully controlled.
Practical impact depends on the target: corrupting hypervisor code pages or data structures could lead to guest escape or host compromise.
Patch Analysis
The fix restricts root-partition access to the HFI MSRs. The kernel now validates that the HFI pointer targets memory within the expected feedback buffer region.