CVE-2025-21335
Published: 14 January 2025
Summary
CVE-2025-21335 is a high-severity Use After Free (CWE-416) vulnerability in Microsoft Windows 11 22H2. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 8.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the Use After Free flaw in Windows Hyper-V VSP by requiring timely application of Microsoft patches as referenced in MSRC and CISA KEV.
Implements memory safeguards such as ASLR and DEP to protect against unauthorized code execution from Use After Free vulnerabilities in Hyper-V kernel components.
Enables proactive identification of the Hyper-V VSP vulnerability through regular scanning, facilitating prompt patching to prevent local privilege escalation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a local elevation of privilege vulnerability (use-after-free in Hyper-V kernel component) that directly enables T1068 Exploitation for Privilege Escalation to achieve kernel-level access.
NVD Description
Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability
Deeper analysisAI
CVE-2025-21335 is an elevation of privilege vulnerability in the Windows Hyper-V NT Kernel Integration VSP component, stemming from a CWE-416 (Use After Free) flaw. Published on January 14, 2025, it carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity with significant impacts on confidentiality, integrity, and availability. The vulnerability affects Windows Hyper-V hosts where the VSP (Virtual Service Provider) integration service mishandles memory, allowing improper object reuse after deallocation.
A local attacker with low privileges on the Hyper-V host can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation enables elevation to higher privilege levels, potentially granting full system control, including kernel-level access, due to the high impact ratings across confidentiality, integrity, and availability.
Microsoft's Security Response Center (MSRC) provides an update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21335 detailing patches and remediation steps. The vulnerability is also referenced in the CISA Known Exploited Vulnerabilities catalog at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-21335, signaling active real-world exploitation and urging federal agencies to apply mitigations promptly.
Details
- CWE(s)
- KEV Date Added
- 14 January 2025