CVE-2025-21335
Hyper-V NT Kernel Integration VSP -- use-after-free allows SYSTEM escalation
Exploited in the Wild
This vulnerability was exploited in the wild before or shortly after patching. Added to CISA KEV.
Summary
| Field | Value |
|---|---|
| Driver | vkrnlintvsp.sys (Hyper-V NT Kernel Integration VSP) |
| Vulnerability Class | Use-After-Free |
| CVSS | 7.8 |
| Exploited ITW | Yes |
| Patch Date | January 14, 2025 |
Root Cause
CVE-2025-21335 is the third member of the January 2025 Hyper-V VSP zero-day cluster, patched alongside CVE-2025-21333 and CVE-2025-21334. All three were actively exploited before the patch shipped.
Like CVE-2025-21334, this vulnerability lives in the Hyper-V NT Kernel Integration Virtual Service Provider (vkrnlintvsp.sys), which manages VMBus communication between host and guest partitions. The driver mishandles memory lifetimes, leaving dangling references to objects that have already been freed. When a subsequent code path follows one of these stale pointers, it operates on memory that may have been reallocated for a different purpose, giving the classic use-after-free primitive.
This is not a guest-to-host escape. The attacker needs local code execution on the Hyper-V host to trigger the vulnerable code path. The impact is local privilege escalation to SYSTEM on the host machine.
Exploitation
A local authenticated attacker triggers the use-after-free through operations that cause the driver to free an internal object while references to it remain active. The freed memory is reclaimed with controlled data, and the stale pointer dereference provides a kernel memory corruption primitive that enables escalation to SYSTEM.
No public exploitation details have been released. Microsoft confirmed active exploitation, and CISA added the vulnerability to the Known Exploited Vulnerabilities catalog, but the specific technique and threat actor remain undisclosed.
Exploitation Primitive
VSP object freed while references remain
--> stale pointer dereference on reclaimed memory
--> kernel memory corruption --> SYSTEM
Broader Significance
Three Hyper-V VSP use-after-free vulnerabilities in a single Patch Tuesday, all actively exploited, points to a systematic weakness in object lifetime management within the VMBus/VSP subsystem. The pattern suggests that the VSP codebase was audited thoroughly by an attacker (or multiple attackers) who found that reference counting across asynchronous VMBus operations was consistently under-validated. For anyone running Hyper-V in production, the January 2025 patches were among the most urgent of the year.