CVE-2025–21333 is a heap-based buffer overflow vulnerability in the Windows 11 kernel-mode driver vkrnlintvsp.sys, actively exploited by threat actors. Microsoft released a patch (KB5050021) on January 14, 2024. The vulnerability can lead to privilege escalation and arbitrary read/write access in kernel space. The article details the vulnerability analysis, exploitation techniques, and recommendations for detection. Affected: Windows 11, vkrnlintvsp.sys
Keypoints :
- The vulnerability is a heap-based buffer overflow identified in vkrnlintvsp.sys.
- Detected as actively exploited by threat actors.
- Microsoft released a patch on January 14, 2024 (KB5050021).
- The analysis includes detailed examination of the vulnerability and its exploitation techniques.
- Guidance for detection and potential exploitation prevention is provided.
- Full proof-of-concept (PoC) code is available on GitHub.
MITRE Techniques :
- Technique: Exploitation for Client Execution (T1203) – Procedure involves using the vulnerability to achieve arbitrary read/write access and escalate privileges.
- Technique: Privilege Escalation (T1068) – The vulnerability allows attackers to escalate privileges to SYSTEM level.
Indicator of Compromise :
- [Domain] microsoft.com
- [Hash] SHA256: 28948C65EF108AA5B43E3D10EE7EA7602AEBA0245305796A84B4F9DBDEDDDF77
- [Hash] SHA256: 999C51D12CDF17A57054068D909E88E1587A9A715F15E0DE9E32F4AA4875C473
- [File] vkrnlintvsp.sys
- [File] ntoskrnl.exe