Search
On this page ▾
CVE-2025-21335 — Microsoft Windows Hyper-V NT Kernel Integration VSP Use-After-Free Vulnerability

CVE-2025-21335

Windows Hyper-V NT Kernel VSP — UAF Guest-to-Host LPE; January 2025 Patch Tuesday (Third of Three Simultaneous Hyper-V Zero-Days)
⚠️ CVSS 3.1  7.8 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

What is Hyper-V's NT Kernel Integration VSP?

The NT Kernel Integration Virtual Service Provider (VSP) is a Hyper-V host-side kernel component that processes VMBus messages from guest VMs. It runs at the highest kernel privilege level on the host. See CVE-2025-21333 for the full context on the Hyper-V VSP vulnerability cluster.

Overview

CVE-2025-21335 is the third use-after-free vulnerability (CWE-416) in the Windows Hyper-V NT Kernel Integration VSP disclosed as a zero-day in the January 2025 Patch Tuesday. It is a companion to CVE-2025-21333 (heap overflow) and CVE-2025-21334 (UAF) — all three allow a locally authenticated attacker within a guest VM to gain SYSTEM privileges on the Hyper-V host. The simultaneous disclosure of three Hyper-V VSP zero-days in a single Patch Tuesday is historically unusual.

Affected Versions

Product Vulnerable Fixed
Windows 10 / 11 with Hyper-V Before January 2025 cumulative update January 2025 cumulative update
Windows Server 2016–2025 with Hyper-V Before January 2025 cumulative update January 2025 cumulative update

Technical Details

This second UAF in the VSP (alongside CVE-2025-21334) indicates that multiple distinct code paths within the NT Kernel Integration VSP's VMBus message processing are vulnerable to use-after-free conditions. The vulnerability is in a different function or code path than CVE-2025-21334, but the exploitation principle is the same: freed kernel objects on the host can be controlled by a guest VM through carefully timed VMBus operations and heap grooming, enabling host kernel code execution.

The three CVEs together (21333, 21334, 21335) represent multiple independent exploitation paths to host-level compromise from a guest VM — ensuring that even partial patching (applying only one or two of the fixes) leaves an exploit path open.

Exploitation Context

Confirmed zero-day exploitation before January 14, 2025. All three Hyper-V VSP CVEs were added to the CISA KEV catalog simultaneously on patch day.

Remediation

  1. Apply the January 2025 cumulative update — patches all three Hyper-V VSP CVEs simultaneously. CISA deadline: February 4, 2025.
  2. All three patches are required: CVE-2025-21333 (heap overflow), CVE-2025-21334 (UAF), and CVE-2025-21335 (this UAF) are all in the same cumulative update. Applying only some leaves attack paths open.
  3. Restrict VM guest access — limit who can create and run VMs on Hyper-V hosts, particularly in shared environments.
  4. Isolate high-risk workloads to dedicated host hardware separate from untrusted or multi-tenant VM workloads.

Key Details

PropertyValue
CVE ID CVE-2025-21335
Vendor / Product Microsoft — Windows
NVD Published2025-01-14
NVD Last Modified2025-10-27
CVSS 3.1 Score7.8
CVSS 3.1 VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SeverityHIGH
CWE CWE-416 find similar ↗
CISA KEV Added2025-01-14
CISA KEV Deadline2025-02-04
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2025-02-04. Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Timeline

DateEvent
2025-01-14Patched in January 2025 Patch Tuesday; CISA adds to KEV (zero-day — companion to CVE-2025-21333 and CVE-2025-21334)
2025-02-04CISA BOD 22-01 remediation deadline

References

ResourceType
Microsoft Security Response Center — CVE-2025-21335 Vendor Advisory
NVD — CVE-2025-21335 Vulnerability Database
CISA KEV Catalog Entry US Government

Last updated: 2026-05-17

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML