Skip to content

CVE-2025-24985

FAT File System — cluster count overflow in FAT bitmap allocation allows RCE

Exploited in the Wild

This vulnerability was exploited in the wild before or shortly after patching.

Summary

Field Value
Driver fastfat.sys
Vulnerability Class Integer Overflow
Vulnerable Build 10.0.22621.4830 (KB5050021)
Fixed Build 10.0.22621.5037 (KB5051987)
Exploited ITW Yes

Affected Functions

  • FatSetupAllocationSupport
  • FatExamineFatEntries

Root Cause

AutoPiff categorizes this as int_overflow with detection rules:

  • alloc_size_overflow_check_added
  • safe_size_math_helper_added

Exploitation

Patch Analysis

Detection

YARA Rule

rule CVE_2025_24985_FastFAT {
    meta:
        description = "Detects vulnerable version of fastfat.sys (pre-patch)"
        cve = "CVE-2025-24985"
        author = "KernelSight"
        severity = "high"
    strings:
        $mz = { 4D 5A }
        $driver_name = "fastfat.sys" wide ascii nocase
        $internal_name = "InternalName" wide
        $vuln_version = "10.0.22621.4830" wide ascii
        $func_setup = "FatSetupAllocationSupport" ascii
        $func_examine = "FatExamineFatEntries" ascii
    condition:
        $mz at 0 and $driver_name and $internal_name and $vuln_version
}

rule CVE_2025_24985_VHD_FAT_Artifact {
    meta:
        description = "Detects VHD file with crafted FAT filesystem and anomalous cluster counts"
        cve = "CVE-2025-24985"
        author = "KernelSight"
        severity = "medium"
    strings:
        $vhd_magic = "conectix" ascii
        $vhdx_magic = "vhdxfile" ascii
        $fat32_marker = { 46 41 54 33 32 20 20 20 }
        $fat16_marker = { 46 41 54 31 36 20 20 20 }
    condition:
        ($vhd_magic at 0 or $vhdx_magic at 0) and ($fat32_marker or $fat16_marker)
}

ETW Indicators

Provider Event / Signal Relevance
Microsoft-Windows-Storage VHD mount events Detects the initial attack vector -- mounting a crafted VHD containing a malicious FAT volume
Microsoft-Windows-StorPort Disk I/O errors on virtual disk Captures anomalous read patterns during FAT bitmap allocation parsing
Microsoft-Windows-Kernel-Audit Privilege escalation events Identifies privilege changes from successful integer overflow exploitation
Microsoft-Windows-Security-Auditing Event 4688 — Process creation Detects post-exploitation process spawns with elevated privileges

Behavioral Indicators

  • A user-mode process mounting a VHD/VHDX containing a FAT filesystem with an abnormally large or inconsistent cluster count in the BIOS Parameter Block, triggering integer overflow during FatSetupAllocationSupport
  • Integer overflow in the FAT bitmap allocation size calculation causing an undersized buffer allocation followed by an out-of-bounds write when FatExamineFatEntries populates the bitmap
  • Pool corruption in NonPagedPoolNx or PagedPool originating from the fastfat.sys FAT entry enumeration path
  • VHD files received via email, web, or removable media with valid FAT32/FAT16 boot sectors but crafted BPB fields (sectors per cluster, total sectors) designed to produce arithmetic wraparound
  • Unexpected code execution or privilege escalation immediately following a FAT volume mount operation, without any user interaction beyond the initial mount

References