CVE-2025-24991
ntfs.sys -- out-of-bounds read leaks kernel memory via crafted NTFS volume
Exploited in the Wild
Actively exploited zero-day. Patched in March 2025 alongside CVE-2025-24984 and CVE-2025-24993. Added to CISA KEV.
Summary
| Field | Value |
|---|---|
| Driver | ntfs.sys |
| Vulnerability Class | Information Disclosure (Out-of-Bounds Read) |
| CVSS | 5.5 |
| Exploited ITW | Yes |
| Patch Date | March 11, 2025 |
Root Cause
Of the three NTFS zero-days patched in March 2025, CVE-2025-24991 sits in the middle of the severity spectrum. Where CVE-2025-24984 leaks data through log files and CVE-2025-24993 provides a heap overflow for code execution, CVE-2025-24991 offers a direct out-of-bounds read that returns kernel heap contents to user mode.
The vulnerability lives in the NTFS driver's metadata parsing logic. When the driver processes metadata structures from a crafted NTFS volume, it trusts length or offset fields embedded in the on-disk structures without verifying that they fall within the buffer boundaries. A metadata record with an oversized length field causes the driver to read past the end of its allocated buffer, returning whatever kernel heap data sits beyond the boundary.
The attack requires getting the victim to mount a malicious NTFS volume. This can happen through a crafted VHD file (double-click to mount) or by inserting a crafted USB device. The social engineering requirement is modest: VHD files can be attached to emails, and USB insertion can be achieved through physical access or supply chain manipulation.
Exploitation
The attacker creates a VHD file containing a crafted NTFS volume with metadata records whose length fields exceed the actual data size. When the victim mounts the volume, the NTFS driver allocates a buffer, reads the metadata, and then processes it based on the on-disk length fields.
Because the length fields point beyond the buffer boundary, the driver reads kernel heap memory that was not part of the original metadata. This data is returned to user mode through the filesystem interface, giving the attacker a window into kernel memory contents.
The primary value of this leak is as a KASLR defeat. Kernel base addresses, pool allocation metadata, and potentially even security token fragments can appear in the leaked data. This information makes exploitation of companion memory corruption bugs (like CVE-2025-24993) significantly more reliable.
Exploitation Primitive
Crafted NTFS volume with oversized metadata length fields
--> NTFS driver reads past buffer boundary
--> kernel heap contents returned to user mode
--> KASLR bypass or sensitive data exposure
Broader Significance
CVE-2025-24991 is the information gathering piece of the March 2025 NTFS trio. Alone, it leaks data but does not corrupt memory. Combined with CVE-2025-24993's heap overflow, it provides the address information needed for reliable exploitation. This pairing, an info-disclosure bug used to enable a separate memory corruption bug, is a standard pattern in modern exploit chains. The fact that both bugs were exploited in the wild together suggests the threat actor understood the value of chaining complementary primitives.