CVE-2025-24985
FAT File System -- cluster count overflow in FAT bitmap allocation allows RCE
Exploited in the Wild
This vulnerability was exploited in the wild before or shortly after patching.
Summary
| Field | Value |
|---|---|
| Driver | fastfat.sys |
| Vulnerability Class | Integer Overflow |
| Vulnerable Build | 10.0.22621.4830 (KB5050021) |
| Fixed Build | 10.0.22621.5037 (KB5051987) |
| Exploited ITW | Yes |
Affected Functions
FatSetupAllocationSupportFatExamineFatEntries
Root Cause
The FAT filesystem driver, fastfat.sys, has been part of Windows since the earliest NT releases. Its job is straightforward: parse FAT12, FAT16, and FAT32 volumes. CVE-2025-24985 reveals that this decades-old code contains an integer overflow in the cluster count arithmetic used during volume mount.
When FatSetupAllocationSupport initializes a FAT volume, it reads the BIOS Parameter Block (BPB) from the volume's boot sector and calculates the total number of clusters. This calculation involves multiplying fields like sectors-per-cluster and total-sectors. On a legitimately formatted volume, these values produce reasonable results. But on a crafted volume where the BPB fields are chosen to cause arithmetic wraparound, the multiplication overflows, producing an undersized result.
The driver then allocates a bitmap buffer based on this undersized value. When FatExamineFatEntries subsequently walks the FAT table and populates the bitmap, it writes past the end of the undersized buffer because the actual cluster count exceeds the allocation. The result is a heap buffer overflow in the kernel pool.
AutoPiff categorizes this as int_overflow with detection rules:
alloc_size_overflow_check_addedsafe_size_math_helper_added
Exploitation
The attack vector is elegant in its simplicity: the attacker creates a VHD file containing a crafted FAT volume with BPB fields designed to trigger the integer overflow. When the victim mounts the VHD (by double-clicking it, or through VirtDisk APIs), the kernel parses the malicious FAT metadata.
The integer overflow in FatSetupAllocationSupport causes an undersized bitmap allocation. FatExamineFatEntries then writes beyond the buffer boundary as it enumerates FAT entries, corrupting adjacent kernel pool objects. The attacker controls the pool layout through pre-mount allocations and shapes the overflow to corrupt a predictable kernel object.
The corrupted object provides a write primitive that enables standard SYSTEM escalation. No user interaction beyond the initial mount is required.
Exploitation Primitive
Crafted VHD with malicious FAT BPB fields
--> integer overflow in cluster count calculation
--> undersized bitmap allocation
--> FatExamineFatEntries writes past buffer end
--> heap overflow --> pool corruption --> SYSTEM
Patch Analysis
The patch adds overflow-safe arithmetic to the cluster count calculation in FatSetupAllocationSupport. The new code uses safe integer multiplication helpers that detect wraparound before using the result in allocation size calculations. If the multiplication would overflow, the volume mount is rejected.
AutoPiff detects this change via the alloc_size_overflow_check_added and safe_size_math_helper_added rules.
Detection
YARA Rule
rule CVE_2025_24985_FastFAT {
meta:
description = "Detects vulnerable version of fastfat.sys (pre-patch)"
cve = "CVE-2025-24985"
author = "KernelSight"
severity = "high"
strings:
$mz = { 4D 5A }
$driver_name = "fastfat.sys" wide ascii nocase
$internal_name = "InternalName" wide
$vuln_version = "10.0.22621.4830" wide ascii
$func_setup = "FatSetupAllocationSupport" ascii
$func_examine = "FatExamineFatEntries" ascii
condition:
$mz at 0 and $driver_name and $internal_name and $vuln_version
}
rule CVE_2025_24985_VHD_FAT_Artifact {
meta:
description = "Detects VHD file with crafted FAT filesystem and anomalous cluster counts"
cve = "CVE-2025-24985"
author = "KernelSight"
severity = "medium"
strings:
$vhd_magic = "conectix" ascii
$vhdx_magic = "vhdxfile" ascii
$fat32_marker = { 46 41 54 33 32 20 20 20 }
$fat16_marker = { 46 41 54 31 36 20 20 20 }
condition:
($vhd_magic at 0 or $vhdx_magic at 0) and ($fat32_marker or $fat16_marker)
}
ETW Indicators
| Provider | Event / Signal | Relevance |
|---|---|---|
Microsoft-Windows-Storage |
VHD mount events | Detects the initial attack vector: mounting a crafted VHD containing a malicious FAT volume |
Microsoft-Windows-StorPort |
Disk I/O errors on virtual disk | Captures anomalous read patterns during FAT bitmap allocation parsing |
Microsoft-Windows-Kernel-Audit |
Privilege escalation events | Identifies privilege changes from successful integer overflow exploitation |
Microsoft-Windows-Security-Auditing |
Event 4688 -- Process creation | Detects post-exploitation process spawns with elevated privileges |
Behavioral Indicators
- A user-mode process mounting a VHD/VHDX containing a FAT filesystem with an abnormally large or inconsistent cluster count in the BIOS Parameter Block, triggering integer overflow during
FatSetupAllocationSupport - Integer overflow in the FAT bitmap allocation size calculation causing an undersized buffer allocation followed by an out-of-bounds write when
FatExamineFatEntriespopulates the bitmap - Pool corruption in NonPagedPoolNx or PagedPool originating from the fastfat.sys FAT entry enumeration path
- VHD files received via email, web, or removable media with valid FAT32/FAT16 boot sectors but crafted BPB fields (sectors per cluster, total sectors) designed to produce arithmetic wraparound
- Unexpected code execution or privilege escalation immediately following a FAT volume mount operation, without any user interaction beyond the initial mount
Broader Significance
Integer overflows in allocation size calculations are among the most dangerous vulnerability classes because they silently convert a large value into a small one, causing subsequent operations to write far beyond allocated boundaries. CVE-2025-24985 demonstrates this in one of Windows' oldest filesystem drivers. The attack vector (a crafted VHD delivered via email or web) requires minimal user interaction and triggers kernel code execution at mount time. The fix, using safe integer arithmetic helpers, is well-established best practice, but its absence in fastfat.sys for decades shows that legacy code audits remain essential.