CVE-2025-21334

Hyper-V NT Kernel Integration VSP — use-after-free allows SYSTEM escalation

Exploited in the Wild

This vulnerability was exploited in the wild before or shortly after patching. Added to CISA KEV.

Summary

Field	Value
Driver	vkrnlintvsp.sys (Hyper-V NT Kernel Integration VSP)
Vulnerability Class	Use-After-Free
CVSS	7.8
Exploited ITW	Yes
Patch Date	January 14, 2025

Root Cause

Use-after-free in the Hyper-V NT Kernel Integration Virtual Service Provider. One of three Hyper-V VSP zero-days patched in the same Patch Tuesday (alongside CVE-2025-21333 and CVE-2025-21335). The VSP handles communication between the host partition and guest VMs via VMBus. The driver mismanages VSP request object lifetimes, so a freed object can be referenced after cleanup.

Not a guest-to-host escape. Exploitation requires local code execution on the host to escalate to SYSTEM.

Exploitation

A local authenticated attacker triggers the UAF to corrupt kernel memory and escalate to SYSTEM. No public exploitation details exist yet.

Exploitation Primitive

VSP request object UAF → kernel memory corruption → SYSTEM

References

• MSRC Advisory
• Tenable — January 2025 Patch Tuesday
• The Hacker News — 3 Actively Exploited Zero-Day Flaws