CVE-2025-21333

What is Hyper-V's NT Kernel Integration VSP?

Hyper-V is Microsoft's native hypervisor that enables hardware virtualization on Windows Server and Windows 10/11 Pro/Enterprise. The NT Kernel Integration Virtual Service Provider (VSP) is a host-side kernel component that mediates communication between Hyper-V virtual machines and the underlying Windows host. VSPs run with elevated kernel privileges on the host partition and provide virtualization services to guest VMs through the VMBus communication channel.

Because VSPs process data supplied by guest VMs, vulnerabilities in VSPs are particularly critical for multi-tenant environments (cloud providers, VDI, enterprise virtualization) where guest VMs may be untrusted or compromised by an attacker who can leverage a VSP vulnerability to escape the VM boundary and compromise the host kernel.

Overview

CVE-2025-21333 is a heap-based buffer overflow (CWE-122) in the Windows Hyper-V NT Kernel Integration VSP that allows a locally authenticated attacker within a guest VM to escalate privileges and potentially escape the VM sandbox to gain SYSTEM privileges on the Hyper-V host. Disclosed as a zero-day in the January 2025 Patch Tuesday, it was one of three simultaneous Hyper-V VSP zero-days (alongside CVE-2025-21334 and CVE-2025-21335) — reflecting coordinated attacker research into the Hyper-V VSP attack surface.

Affected Versions

Technical Details

The heap-based buffer overflow (CWE-122) occurs in the NT Kernel Integration VSP when processing VMBus messages from a guest VM. VMBus is Hyper-V's high-speed communication channel between guest VMs and host VSPs. The VSP allocates a heap buffer to process an incoming message, but a crafted message with a size or content field that exceeds the buffer's capacity causes an overflow, corrupting adjacent kernel heap memory on the host.

By controlling the overflow content and heap layout (heap grooming through orchestrated VMBus message sequences), an attacker within a guest VM can corrupt host kernel data structures — potentially escalating from guest VM context to SYSTEM-level code execution on the Hyper-V host kernel.

Key characteristics:

• Attack originates from within a guest VM (AV:L — local to the host, but accessible from VM)
• Low privileges required (PR:L — standard VM user account)
• Part of a cluster of three simultaneous Hyper-V zero-days suggesting sustained research

Discovery

Microsoft Threat Intelligence identified active exploitation before January 2025 Patch Tuesday. Three simultaneous Hyper-V VSP zero-days (21333, 21334, 21335) patched together indicates multiple actors or a single actor with deep Hyper-V research capability.

Exploitation Context

Confirmed zero-day exploitation before January 14, 2025. CISA added all three Hyper-V VSP CVEs to the KEV catalog simultaneously on patch day. Guest-to-host escape vulnerabilities are particularly valuable in cloud environments and hosted VDI where an attacker can rent a VM and leverage the escape to access other customers' VMs or the hosting infrastructure.

Remediation

1. Apply the January 2025 cumulative update for your Windows version. The CISA deadline was February 4, 2025.
2. Apply all three Hyper-V VSP patches simultaneously from the same cumulative update: CVE-2025-21333 (heap overflow), CVE-2025-21334 (UAF), and CVE-2025-21335 (UAF).
3. Isolate untrusted VMs on separate physical hosts or host clusters where possible — lateral host compromise via guest VMs is the primary attack scenario.
4. Enable Hyper-V shielded VMs and virtual TPM for sensitive workloads to add additional layers of isolation.
5. Monitor for signs of exploitation: unexpected kernel crashes or restarts on Hyper-V hosts, anomalous VMBus activity before the patch was applied.