CVE-2025-21334
Hyper-V NT Kernel Integration VSP -- use-after-free allows SYSTEM escalation
Exploited in the Wild
This vulnerability was exploited in the wild before or shortly after patching. Added to CISA KEV.
Summary
| Field | Value |
|---|---|
| Driver | vkrnlintvsp.sys (Hyper-V NT Kernel Integration VSP) |
| Vulnerability Class | Use-After-Free |
| CVSS | 7.8 |
| Exploited ITW | Yes |
| Patch Date | January 14, 2025 |
Root Cause
January 2025 was a rough month for Hyper-V. Microsoft patched three VSP zero-days in the same Patch Tuesday, all actively exploited: CVE-2025-21333 (guest-to-host heap overflow in vsp.sys), CVE-2025-21335 (UAF in the same integration VSP), and this one, CVE-2025-21334.
The NT Kernel Integration Virtual Service Provider (vkrnlintvsp.sys) manages VMBus communication between the host partition and guest VMs. The driver mismanages the lifetimes of VSP request objects: under certain conditions, a request object is freed while another code path still holds a reference to it. When that stale reference is later dereferenced, the kernel operates on freed memory.
Unlike CVE-2025-21333, this is not a guest-to-host escape. Exploitation requires local code execution on the host itself, making it a local privilege escalation rather than a hypervisor boundary crossing. But it was still exploited in the wild, which tells us something about attacker priorities: sometimes SYSTEM on the host is the goal, not escape from a guest.
Exploitation
A local authenticated attacker on the Hyper-V host triggers the use-after-free through operations that cause a VSP request object to be freed prematurely. The freed memory is then reclaimed with attacker-controlled data, and the stale reference dereference corrupts kernel memory in a way that enables privilege escalation to SYSTEM.
No detailed public exploitation writeups exist yet. The CISA KEV listing and Microsoft's acknowledgment of active exploitation confirm the bug was used in the wild, but the specific exploitation technique remains undisclosed.
Exploitation Primitive
VSP request object freed while reference remains active
--> stale dereference on reclaimed memory
--> kernel memory corruption --> SYSTEM
Broader Significance
The three January 2025 Hyper-V VSP zero-days (CVE-2025-21333, CVE-2025-21334, CVE-2025-21335) represent a cluster of bugs in a single subsystem, all exploited simultaneously. This suggests that attackers, or possibly a single threat actor, had invested significant effort in auditing the VMBus/VSP interface. For defenders, the lesson is that when one bug appears in a subsystem, thorough review of the surrounding code is warranted. Adjacent bugs are often close by.