What is Hyper-V's NT Kernel Integration VSP?
The NT Kernel Integration Virtual Service Provider (VSP) is a host-side Hyper-V component that handles VMBus communication between guest VMs and the host Windows kernel. It runs at kernel privilege on the Hyper-V host partition. Vulnerabilities in the VSP that process guest-supplied data can enable guest-to-host privilege escalation — an attacker inside a VM can exploit the vulnerability to gain SYSTEM access on the host kernel.
Overview
CVE-2025-21334 is a use-after-free vulnerability (CWE-416) in the Windows Hyper-V NT Kernel Integration VSP — the second of three simultaneous Hyper-V VSP zero-days patched in the January 2025 Patch Tuesday alongside CVE-2025-21333 (heap overflow) and CVE-2025-21335 (UAF). All three allow a locally authenticated attacker within a guest VM to escalate privileges and potentially escape the VM to gain SYSTEM on the Hyper-V host. See CVE-2025-21333 for the broader context on this vulnerability cluster.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Windows 10 / 11 with Hyper-V | Before January 2025 cumulative update | January 2025 cumulative update |
| Windows Server 2016–2025 with Hyper-V | Before January 2025 cumulative update | January 2025 cumulative update |
Technical Details
The use-after-free (CWE-416) in the NT Kernel Integration VSP occurs during VMBus message processing. A kernel object allocated to handle guest VM communication is freed while a reference to it is retained in a related host kernel data structure. By carefully timing VMBus operations from within the guest VM (controlling when objects are freed and what data occupies the freed memory via heap grooming), an attacker causes the host kernel to dereference stale pointers containing guest-controlled data — enabling host kernel code execution.
The Low attack complexity (AC:L) reflects that the exploit was reliably weaponized before the patch. The vulnerability differs from CVE-2025-21333 in its memory corruption mechanism (UAF vs. heap overflow) but achieves the same outcome: host kernel privilege escalation from a guest VM.
Exploitation Context
Confirmed zero-day exploitation before January 14, 2025. Three simultaneous Hyper-V zero-days in one Patch Tuesday is historically unusual and indicates deep vulnerability research in the Hyper-V VSP codebase. CISA added all three to the KEV catalog simultaneously.
Remediation
- Apply the January 2025 cumulative update — this patches all three Hyper-V VSP CVEs in a single update. The CISA deadline was February 4, 2025.
- Apply all three companion patches: CVE-2025-21333, CVE-2025-21334, and CVE-2025-21335 are all included in the same January 2025 cumulative update.
- Isolate untrusted VMs on separate physical hosts — guest-to-host escape is the core attack scenario.
- Monitor Hyper-V host kernel integrity and review for unexpected VSP crashes or host-level anomalies before the patch date.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2025-21334 |
| Vendor / Product | Microsoft — Windows |
| NVD Published | 2025-01-14 |
| NVD Last Modified | 2025-10-27 |
| CVSS 3.1 Score | 7.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-416 find similar ↗ |
| CISA KEV Added | 2025-01-14 |
| CISA KEV Deadline | 2025-02-04 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2025-01-14 | Patched in January 2025 Patch Tuesday; CISA adds to KEV (zero-day — companion to CVE-2025-21333 and CVE-2025-21335) |
| 2025-02-04 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Microsoft Security Response Center — CVE-2025-21334 | Vendor Advisory |
| NVD — CVE-2025-21334 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |