CVE-2025-24991
ntfs.sys — out-of-bounds read leaks kernel memory via crafted NTFS volume
Exploited in the Wild
Actively exploited zero-day. Patched in March 2025 alongside CVE-2025-24984 and CVE-2025-24993. Added to CISA KEV.
Summary
| Field | Value |
|---|---|
| Driver | ntfs.sys |
| Vulnerability Class | Information Disclosure (Out-of-Bounds Read) |
| CVSS | 5.5 |
| Exploited ITW | Yes |
| Patch Date | March 11, 2025 |
Root Cause
The NTFS driver skips buffer boundary checks when reading metadata from a crafted NTFS volume. An out-of-bounds read returns kernel heap contents to user mode. The attacker must trick a user into mounting a malicious VHD or inserting a crafted USB device.
Part of a trio of NTFS zero-days patched in March 2025 (alongside CVE-2025-24984 and CVE-2025-24993).
Exploitation
The attacker provides a crafted NTFS volume (VHD file or physical media). When mounted, the NTFS driver reads past the end of a metadata buffer, leaking kernel heap contents. The leak gives a KASLR bypass primitive.
Exploitation Primitive
Crafted NTFS volume → metadata parsing → OOB read
→ kernel heap contents leaked to user mode