CVE-2025-64673
storvsp.sys -- elevation of privilege in Hyper-V Storage Virtual Service Provider
Summary
| Field | Value |
|---|---|
| Driver | storvsp.sys (Hyper-V Storage Virtual Service Provider) |
| Vulnerability Class | Elevation of Privilege |
| CVSS | 7.8 |
| Exploited ITW | No |
| Patch Date | December 9, 2025 |
Context
The Storage VSP driver (storvsp.sys) handles storage I/O between Hyper-V guests and the host. It sits in the host's kernel, processing storage requests that originate from guest virtual machines through the VMBus channel. This placement means a bug in storvsp.sys can potentially be triggered by a malicious guest, making it part of the Hyper-V guest-to-host attack surface.
CVE-2025-64673 is the second storvsp.sys vulnerability in the KernelSight corpus, following CVE-2025-47982 (improper input validation). Together with the three Hyper-V VSP bugs from January 2025 (CVE-2025-21333, CVE-2025-21334, CVE-2025-21335), the storage virtualization layer is establishing itself as a significant kernel attack surface.
Root Cause
Microsoft's advisory confirms a privilege escalation without disclosing the specific mechanism. Based on the pattern of VSP vulnerabilities, the likely root cause involves insufficient validation of guest-supplied storage request parameters. The Storage VSP processes SCSI request blocks (SRBs) and storage protocol commands from the guest. These requests contain size fields, buffer pointers, and operation codes that the host kernel must validate before acting on them. Missing or incomplete validation of these fields can lead to buffer overflows, type confusion, or out-of-bounds access in the host kernel.
Exploitation
A local attacker or Hyper-V guest sends crafted storage operations that reach the vulnerable validation gap in storvsp.sys. The exact exploitation primitive depends on the nature of the validation failure, but VSP bugs typically yield either a heap corruption or an out-of-bounds write that can be leveraged for kernel code execution on the host.
Exploitation Primitive
Crafted storage operation --> kernel vulnerability --> SYSTEM
Broader Significance
Hyper-V VSP drivers represent a growing category of kernel attack surface. Unlike traditional kernel drivers that process local user requests, VSP drivers process requests from guest VMs that may be running untrusted workloads. A vulnerability here can enable guest-to-host escape, which is among the highest-value exploitation targets in cloud and enterprise environments. Microsoft's Hyper-V bounty program offers up to $250,000 for guest-to-host escapes, reflecting the severity of this attack surface.