gengstah

gengstah

Exploring the spaces between specs — where weird machines live and exploits are born

CVE-2025-21333 — Hyper-V vkrnlintvsp.sys Heap Overflow (WNF + IORING)

Last updated: 2026-04-28 Component: vkrnlintvsp.sys — Hyper-V NT Kernel Integration VSP Bug Class: Heap-based buffer overflow in paged pool (~0xFFF0 bytes) Patch: January 2025 Patch Tuesday Exploited ITW: Yes — added to CISA KEV at disclosure Discoverer: Anonymous report; public PoC by Alessandro Iandoli (MrAle98) Related: WNF, IORING, Heap Grooming Tags: hyperv, vsp, heap-overflow, wnf, iouring, kernel-mode, lpe, itw

Summary

A heap-based buffer overflow in the Hyper-V NT Kernel Integration VSP (vkrnlintvsp.sys) reachable from inside the Windows Sandbox. The PoC chains the overflow with a WNF-state-data + IORING-RegBuffers cross-allocation pattern to land a single corrupted _IOP_MC_BUFFER_ENTRY pointer — sufficient for full kernel R/W without NtQuerySystemInformation or PreviousMode tricks.

The PoC’s contribution is the single-entry corruption technique: prior IORING exploits (Yarden Shafir’s original chain) replaced the entire RegBuffers array. Here only one entry needs to land, which makes the same approach viable from heap overflows / UAFs across many LFH bucket sizes.

Attack surface

  • Reachable only when Windows Sandbox is enabled — vulnerable syscalls route through vkrnlintvsp.sys only in that context.
  • The bug is in the VSP’s communication path; controlling the input length triggers a paged-pool overflow of approximately 0xFFF0 bytes on Windows 11 23H2.

Exploitation flow

  1. Spray WNF state-data objects in paged pool. WNF blocks are predictable in size and detectable post-overflow via their header signatures (see WNF Internals).
  2. Trigger the overflow through vkrnlintvsp.sys. The 0xFFF0-byte write smashes adjacent WNF state-data objects; identify which ones got corrupted by their now-invalid headers.
  3. Free two corrupted WNF state-data objects and immediately reallocate that space with:
    • an IORING_OBJECT.RegBuffers array (pool tag IrRB)
    • a PipeAttribute (used later for AAR scaffolding)
  4. Use a third overflow to flip one pointer in the freed-and-reallocated RegBuffers array. The new value points at a fake _IOP_MC_BUFFER_ENTRY in user space whose Address field controls subsequent reads/writes.
  5. AAR/AAW. BuildIoRingWriteFile / BuildIoRingReadFile then translate to direct kernel reads/writes against the fake buffer entry.
  6. Token steal, return.

The exploit deliberately avoids NtQuerySystemInformation for the kernel-base leak (suppressed without SeDebugPrivilege on 24H2) — kernel pointers come out of the IORING primitive itself.

Why it matters

  • One of the first widely-published exploits to ride the WNF + IORING pattern with single-entry corruption.
  • Reaches the Hyper-V VSP from inside Windows Sandbox — a sandboxed-renderer breakout vector for browser exploit chains.
  • Confirmed actively exploited per CISA KEV; assumed paired with browser / sandbox-escape chains in real-world intrusions.

Detection

  • IORING RegBuffers pointers crossing the user / kernel boundary.
  • WNF state-data allocations followed quickly by IrRB reallocations in the same pool slot.
  • vkrnlintvsp.sys reaching the overflow path with input lengths near 0xFFF0.

References

  • Alessandro Iandoli (MrAle98) — CVE-2025-21333-POChttps://github.com/MrAle98/CVE-2025-21333-POC
  • ANSH InfoSec — Windows Hyper-V Zero-Day CVE-2025-21333: PoC Drops, SYSTEM Access Exposed
  • Wiz Vulnerability Database — CVE-2025-21333
  • Yarden Shafir — I/O Ring original write-up (the technique this exploit builds on)
  • See also: IORING, WNF Internals