CVE-2025-24993
NTFS -- MFT metadata heap buffer overflow via crafted VHD allows RCE
Exploited in the Wild
This vulnerability was exploited in the wild before or shortly after patching.
Summary
| Field | Value |
|---|---|
| Driver | ntfs.sys |
| Vulnerability Class | Buffer Overflow / Bounds Check |
| Vulnerable Build | 10.0.22621.4830 (KB5050021) |
| Fixed Build | 10.0.22621.4890 (KB5051987) |
| Exploited ITW | Yes |
Affected Functions
NtfsReadMftRecordNtfsReadFileRecord
Root Cause
Of the three NTFS zero-days in March 2025, CVE-2025-24993 is the most dangerous. While CVE-2025-24984 and CVE-2025-24991 leak information, CVE-2025-24993 provides a heap buffer overflow that enables code execution.
The vulnerability targets the Master File Table (MFT), the central metadata structure of every NTFS volume. Each file and directory on an NTFS volume has a corresponding MFT record, a fixed-size structure containing attributes that describe the file's properties and data. The key functions, NtfsReadMftRecord and NtfsReadFileRecord, are responsible for reading these records from disk into kernel memory.
When these functions process an MFT record from a crafted volume, they trust the attribute length fields embedded in the on-disk record structure. If an attribute's declared length exceeds the record's actual allocation size, the memcpy that copies attribute data writes beyond the destination buffer in the kernel pool. The result is a heap overflow in NonPagedPoolNx.
The attack vector is the same as the companion NTFS bugs: the attacker delivers a crafted VHD file (via email, web download, or removable media) containing a malicious NTFS volume. When the victim mounts the VHD, the kernel parses the MFT and triggers the overflow.
AutoPiff categorizes this as bounds_check with detection rules:
added_len_check_before_memcpyadded_struct_size_validation
Exploitation
The attacker crafts a VHD file with an NTFS volume whose MFT records contain attributes with oversized length fields. The VHD can be delivered through any file transfer mechanism: email attachment, web download, USB device.
When the victim mounts the VHD, the kernel's NTFS driver reads the MFT. NtfsReadMftRecord allocates a buffer for the record and copies data from disk. Because the attribute length fields are trusted, the copy writes beyond the buffer boundary, overflowing into adjacent NonPagedPoolNx allocations.
The attacker controls the pool layout through pre-mount allocations, ensuring that a predictable kernel object sits adjacent to the overflow target. The corrupted object provides a read/write primitive that enables standard SYSTEM escalation through token manipulation.
The exploitation chain likely pairs this overflow with CVE-2025-24991 to defeat KASLR: the OOB read leaks kernel addresses, and the heap overflow uses those addresses for precise memory corruption.
Exploitation Primitive
Crafted VHD with NTFS volume --> MFT record with oversized attribute lengths
--> NtfsReadMftRecord copies beyond buffer boundary
--> heap overflow in NonPagedPoolNx
--> adjacent object corruption --> kernel R/W primitive --> SYSTEM
Patch Analysis
The fix adds bounds validation to NtfsReadMftRecord and NtfsReadFileRecord. Before copying attribute data, the patched code verifies that the declared attribute length does not exceed the record's allocation size. Records with inconsistent lengths are rejected, preventing the overflow.
AutoPiff detects this change via the added_len_check_before_memcpy rule, which identifies the new comparison instruction that validates attribute sizes before the copy operation.
Detection
YARA Rule
rule CVE_2025_24993_NTFS {
meta:
description = "Detects vulnerable version of ntfs.sys (pre-patch)"
cve = "CVE-2025-24993"
author = "KernelSight"
severity = "high"
strings:
$mz = { 4D 5A }
$driver_name = "ntfs.sys" wide ascii nocase
$internal_name = "InternalName" wide
$vuln_version = "10.0.22621.4830" wide ascii
$func_read_mft = "NtfsReadMftRecord" ascii
$func_read_file = "NtfsReadFileRecord" ascii
condition:
$mz at 0 and $driver_name and $internal_name and $vuln_version
}
rule CVE_2025_24993_VHD_Artifact {
meta:
description = "Detects VHD/VHDX file with potentially crafted MFT records"
cve = "CVE-2025-24993"
author = "KernelSight"
severity = "medium"
strings:
$vhdx_magic = "vhdxfile" ascii
$vhd_magic = "conectix" ascii
$ntfs_sig = { 4E 54 46 53 20 20 20 20 }
condition:
($vhdx_magic at 0 or $vhd_magic at 0) and $ntfs_sig
}
ETW Indicators
| Provider | Event / Signal | Relevance |
|---|---|---|
Microsoft-Windows-Storage |
VHD mount events | Detects the initial attack vector: mounting a crafted VHD containing the malicious NTFS volume |
Microsoft-Windows-Ntfs |
MFT read errors / metadata corruption events | Captures anomalous MFT record processing that triggers the heap overflow |
Microsoft-Windows-Kernel-Audit |
Privilege escalation events | Identifies privilege changes resulting from successful exploitation |
Microsoft-Windows-Security-Auditing |
Event 4688 -- Process creation | Detects suspicious process spawns following VHD mount and exploitation |
Behavioral Indicators
- A user-mode process mounting a VHD/VHDX file via
VirtDiskAPIs (OpenVirtualDisk/AttachVirtualDisk) followed by immediate NTFS metadata parsing errors in the kernel - Heap buffer overflow in NonPagedPoolNx during
NtfsReadMftRecordprocessing, observable as pool corruption bugchecks or controlled overwrites of adjacent allocations - Crafted MFT FILE records with attribute lengths exceeding the record allocation size, causing
memcpyto write beyond the destination buffer - Anomalous sequence of VHD mount followed by rapid privilege escalation of the mounting process to SYSTEM
- VHD files arriving via email, web download, or removable media with unusually small file sizes but valid NTFS formatting (indicating hand-crafted filesystem metadata)
Broader Significance
CVE-2025-24993 is the payload delivery mechanism of the March 2025 NTFS trio. The companion information disclosure bugs (CVE-2025-24984 and CVE-2025-24991) provide the kernel address information needed for reliable exploitation, while CVE-2025-24993 provides the memory corruption that achieves code execution. This chaining pattern, where info-disclosure and memory corruption bugs in the same subsystem are exploited together, is increasingly common in modern attack campaigns. The attack vector (a VHD file) makes it particularly dangerous because VHD mounts trigger complex kernel parsing with minimal user interaction.