In‑Depth Analysis of Hyper‑V DirectX Attack Surface and Related CVEs

At BlackHat USA 2022, researchers from Ant Security’s Light‑Year Lab presented "DirectX: The New Hyper‑V Attack Surface," and this article expands on that talk by dissecting the Hyper‑V DirectX component used in Microsoft Azure’s Hyper‑V virtualization.

The Hyper‑V DirectX architecture builds on the Windows Display Driver Model (WDDM); the article describes the WDDM stack (Figure 1) and the Hyper‑V DirectX stack (Figure 2), then follows the data flow through both (Figures 3‑4), illustrating how virtual GPU commands travel between guest and host.

Virtual GPU configuration is performed via PowerShell commands such as Add-VMGpuPartitionAdapter and Get-VMGpuPartitionAdapter , with kernel log verification (Figure 6) confirming successful enablement.

The attack surface resides primarily in three driver files— dxgkrnl.sys , dxgmms1.sys , and dxgmms2.sys —and comprises 87 distinct commands (Figure 13). The article enumerates these commands and explains their memory layouts (Figures 10, 18).

CVE‑2022‑21918 is a null‑pointer dereference triggered in VidSchiSignalSyncObjectsFromCpu via the DXGK_VMBCOMMAND_SIGNALSYNCOBJECT path; stack traces (Figure 14) and PoC code (Figure 20) are provided.

CVE‑2021‑43219 also stems from a null‑pointer issue in DXGK_VMBCOMMAND_SUBMITCOMMAND , where an uninitialized CWin32kLocks structure leads to a BSOD; debugging steps and PoC (Figure 23) are shown.

CVE‑2022‑21912 is an arbitrary‑read vulnerability in DXGK_VMBCOMMAND_WAITFORSYNCOBJECTFROMGPU ; the article walks through the command layout (Figure 26) and the chain of functions that ultimately dereference a controlled pointer (Figures 27‑29), accompanied by PoC (Figure 30).

CVE‑2022‑21898 is an arbitrary‑write flaw in DXGK_VMBCOMMAND_SUBMITVAILPRESENTHISTORYTOKEN . By manipulating fields in the command structure (Figure 33) and following the call chain through DXGADAPTER::SubmitPresentHistoryTokenFromVm and VidSchiAcquirePrivateDataReference , an attacker can write to an arbitrary address (Figure 36); PoC and debugging flow are illustrated (Figures 37‑38).

Overall, the article delivers a detailed reverse‑engineering based security assessment of Hyper‑V DirectX, exposing multiple high‑severity vulnerabilities and providing reproducible exploit code for each.