CVE-2025-21333
vsp.sys -- Hyper-V Virtual Service Provider heap-based buffer overflow
Exploited in the Wild
Exploited in the wild as a zero-day. Reported in Microsoft's January 2025 Patch Tuesday as under active exploitation.
Summary
| Field | Value |
|---|---|
| Driver | vsp.sys (Hyper-V Virtual Service Provider) |
| Vulnerability Class | Buffer Overflow |
| Vulnerable Build | 10.0.26100.2605 and earlier |
| Fixed Build | 10.0.26100.2894 (KB5050009, January 2025) |
| Exploited ITW | Yes |
Affected Functions
- VspReceivePacket
- VspProcessChannelMessage
- VspHandleGpaDirectPacket
Root Cause
January 2025's Patch Tuesday disclosed three Hyper-V VSP zero-days, and CVE-2025-21333 was the most severe: a guest-to-host escape via heap buffer overflow in the Virtual Service Provider driver.
The Hyper-V architecture relies on VMBus channels to broker communication between guest Virtual Service Consumers (VSCs) and host-side Virtual Service Providers (VSPs). The vsp.sys driver processes incoming VMBus messages for storage I/O, networking, and video operations. When VspReceivePacket receives a channel message, it reads a size field from the packet header to determine how much data to copy into a pre-allocated kernel buffer.
The problem is that this size field comes directly from the guest and is never validated against the buffer's actual capacity. If a guest sends a packet with a declared data size larger than the destination buffer, the copy overflows into adjacent NonPagedPoolNx allocations on the host kernel. Because the packet originates from inside a guest VM and the overflow occurs on the host, this crosses the hypervisor isolation boundary, the most sensitive trust boundary in a virtualized environment.
AutoPiff categorizes this as heap buffer overflow via insufficient packet size validation with detection rules:
added_len_check_before_memcpy-- identifies the new size validation before the memory copyadded_buffer_size_validation-- detects the bounds check on the VMBus packet size field
Exploitation
The attack begins inside a compromised Hyper-V guest VM. An attacker with elevated guest privileges crafts VMBus channel messages with oversized packet headers and sends them to the host's VSP endpoint.
On the host side, VspReceivePacket processes the message and copies more data than the destination buffer can hold, overflowing into adjacent NonPagedPoolNx allocations. To control what objects sit next to the vulnerable buffer, the attacker uses legitimate VMBus operations (which trigger host-side allocations) as a pool spray mechanism. The goal is to place a predictable object adjacent to the overflow target.
When the overflow corrupts the adjacent object, the attacker gains a kernel read/write primitive on the host. From there, a token swap replaces the attacker's process token with the SYSTEM token, completing the guest-to-host escape. The attacker now has SYSTEM privileges on the Hyper-V host, with access to all guest VMs running on the same physical machine.
Patch Analysis
The January 2025 update adds proper validation of the packet size field in VspReceivePacket before any data copy occurs. The new code compares the incoming packet's declared data size against the pre-allocated buffer capacity and rejects packets that would overflow. Additional validation was added in VspProcessChannelMessage to verify message header consistency before dispatching to specific handlers.
AutoPiff detects this change via the added_len_check_before_memcpy rule, which identifies the new comparison instruction that validates the source data length against the destination buffer size prior to the copy operation.
Detection
YARA Rule
rule CVE_2025_21333_VSP {
meta:
description = "Detects vulnerable version of vsp.sys (pre-patch)"
cve = "CVE-2025-21333"
author = "KernelSight"
severity = "high"
strings:
$mz = { 4D 5A }
$driver_name = "vsp.sys" wide ascii nocase
$internal_name = "InternalName" wide
$vuln_version = "10.0.26100.2605" wide ascii
$func_receive = "VspReceivePacket" ascii
$func_channel = "VspProcessChannelMessage" ascii
$func_gpa = "VspHandleGpaDirectPacket" ascii
condition:
$mz at 0 and $driver_name and $internal_name and $vuln_version
}
ETW Indicators
| Provider | Event / Signal | Relevance |
|---|---|---|
Microsoft-Windows-Hyper-V-Worker |
VMBus channel message events | Detects abnormal VMBus packet sizes sent from guest to host VSP |
Microsoft-Windows-Hyper-V-VmSwitch |
Virtual switch packet processing | Captures anomalous network VSP traffic patterns during exploitation |
Microsoft-Windows-Kernel-Process |
Host process token changes | Identifies the guest-to-host token swap achieving SYSTEM on the host |
Microsoft-Windows-Security-Auditing |
Event 4688 -- Process creation | Detects unexpected SYSTEM-level process spawns on the Hyper-V host following VMBus activity |
Microsoft-Windows-Kernel-Audit |
Token modification on host | Captures privilege escalation from the vmwp.exe worker process context to SYSTEM |
Behavioral Indicators
- A Hyper-V guest VM sending VMBus channel messages with packet size fields exceeding the pre-allocated host-side buffer capacity, triggering heap overflow in
VspReceivePacketon the host kernel - Anomalous NonPagedPoolNx allocation churn on the Hyper-V host coinciding with VMBus channel activity from a specific guest, indicating pool spray via legitimate VMBus operations
- The
vmwp.exeworker process (or host kernel context) experiencing pool corruption events correlated with guest VM VMBus traffic spikes - Unexpected SYSTEM-privilege process creation on the host originating from a VM worker process context, indicating successful guest-to-host escape
- Guest VM performing rapid open/close cycles on VMBus channels to multiple VSP endpoints (storage, networking) as part of pool grooming before triggering the overflow
Broader Significance
Guest-to-host escapes are the most consequential class of hypervisor vulnerability. A single compromised guest can pivot to the host and from there to every other guest on the same physical machine. CVE-2025-21333 demonstrates that the VMBus channel interface, the primary communication path between guest and host, was processing guest-supplied size fields without bounds checking. For organizations running multi-tenant Hyper-V environments, this was a critical trust boundary failure.