CVE-2025-54916
ntfs.sys -- stack-based buffer overflow via crafted NTFS volume metadata
Summary
| Field | Value |
|---|---|
| Driver | ntfs.sys |
| Vulnerability Class | Buffer Overflow (Stack) |
| CVSS | 7.8 |
| Exploited ITW | No |
| Patch Date | September 9, 2025 |
Root Cause
The NTFS file system driver parses metadata structures when mounting a volume. These structures describe the layout of the file system: the Master File Table, attribute records, index entries, and various internal bookkeeping data. The driver expects these structures to conform to the NTFS specification, but when presented with a crafted volume, it encounters values that violate those assumptions.
In CVE-2025-54916, the driver fails to validate the size of a metadata structure before copying it onto the kernel stack. A crafted NTFS volume contains an oversized structure that exceeds the stack buffer's capacity. The copy operation writes past the end of the buffer, overwriting adjacent stack data including saved return addresses and other control flow information.
Stack overflows in kernel-mode file system drivers are particularly dangerous because they provide direct control over the instruction pointer. Unlike heap overflows, which require additional steps to redirect execution, a stack overflow can overwrite the return address and hijack control flow the moment the vulnerable function returns.
Exploitation
The attacker delivers a crafted NTFS volume to the target system. This can take several forms: a malicious VHD file attached via double-click, a USB drive with a crafted partition, or a network share presenting a corrupted NTFS image. When Windows mounts the volume and ntfs.sys begins parsing its metadata, the stack overflow fires.
The overwritten return address redirects execution when the vulnerable function returns. Combined with a ROP chain (or direct shellcode on systems without kernel CFI), the attacker achieves arbitrary kernel code execution. From kernel context, installing a persistent backdoor or escalating to SYSTEM is straightforward.
Exploitation Primitive
Crafted NTFS volume -> ntfs.sys parses oversized metadata structure
-> stack buffer overflow -> return address overwritten
-> kernel code execution
Broader Significance
File system parsing vulnerabilities have a long history in Windows kernel exploitation. The attack vector is attractive because mounting a volume is a common operation that can be triggered in many ways, some of them semi-automated (USB autoplay, VHD association). NTFS is particularly complex, with numerous metadata structures that must be parsed correctly. This CVE joins CVE-2025-24993 and CVE-2025-24985 (FAT/exFAT) in demonstrating that file system drivers remain a viable kernel attack surface, especially when the attacker controls the storage media or disk image.