CVE-2025-21335

Hyper-V NT Kernel Integration VSP — use-after-free allows SYSTEM escalation

Exploited in the Wild

This vulnerability was exploited in the wild before or shortly after patching. Added to CISA KEV.

Summary

Field	Value
Driver	vkrnlintvsp.sys (Hyper-V NT Kernel Integration VSP)
Vulnerability Class	Use-After-Free
CVSS	7.8
Exploited ITW	Yes
Patch Date	January 14, 2025

Root Cause

Use-after-free in the Hyper-V NT Kernel Integration Virtual Service Provider, patched alongside CVE-2025-21333 and CVE-2025-21334 in the same Patch Tuesday. The VSP manages VMBus communication between host and guest partitions. The driver mishandles memory lifetimes, leaving references to freed objects.

Not a guest-to-host escape. Requires local code execution on the host.

Exploitation

A local authenticated attacker triggers the UAF to escalate to SYSTEM. No public exploitation details exist yet.

Exploitation Primitive

VSP object UAF → kernel memory corruption → SYSTEM

References

• MSRC Advisory
• Tenable — January 2025 Patch Tuesday
• HelpNetSecurity — Hyper-V Zero-Days