CVE-2025-24992
ntfs.sys -- buffer over-read leaks kernel memory
Summary
| Field | Value |
|---|---|
| Driver | ntfs.sys |
| Vulnerability Class | Information Disclosure (Buffer Over-Read) |
| CVSS | 5.5 |
| Exploited ITW | No |
| Patch Date | March 11, 2025 |
Root Cause
CVE-2025-24992 is the fourth NTFS vulnerability patched in March 2025, though unlike its three siblings (CVE-2025-24984, CVE-2025-24991, and CVE-2025-24993), this one was not observed in active exploitation.
The vulnerability is a buffer over-read, closely related in nature to CVE-2025-24991. When the NTFS driver processes metadata from a crafted NTFS volume, it reads beyond the boundaries of an internal buffer because it trusts on-disk length or offset values without validating them against the actual allocation. The data beyond the buffer boundary, which consists of kernel heap contents, is returned to user mode.
The practical difference between CVE-2025-24992 and CVE-2025-24991 is likely the specific metadata structure or parsing path involved. Both produce the same outcome: kernel memory contents leaking to a user-mode caller who mounts a crafted volume.
Exploitation
The attack pattern mirrors the other NTFS volume-based vulnerabilities. The attacker provides a crafted NTFS volume (as a VHD file for remote delivery, or on physical media for physical access scenarios). When the victim mounts the volume, the NTFS driver parses the malicious metadata, reads past buffer boundaries, and returns kernel heap data to user mode.
The leaked memory is useful as a KASLR bypass, providing kernel addresses that enable reliable exploitation of memory corruption vulnerabilities. It can also expose fragments of other processes' data, depending on what happened to be allocated in the adjacent heap region.
Exploitation Primitive
Crafted NTFS volume --> metadata parsing --> buffer over-read
--> kernel heap contents leaked to user mode
--> KASLR bypass
Broader Significance
Four NTFS vulnerabilities in a single patch cycle, three of them exploited as zero-days, signals that the NTFS metadata parsing code was under heavy scrutiny from both attackers and researchers in early 2025. CVE-2025-24992, though not exploited in the wild, shares the same fundamental weakness as CVE-2025-24991: trusting on-disk metadata values as valid indices or lengths. The March 2025 NTFS cluster should prompt defenders to treat any filesystem driver patch as high priority, since volume parsing happens automatically at mount time with no user interaction beyond the initial mount action.