CVE-2025-21182 Overview
CVE-2025-21182 is an elevation of privilege vulnerability in the Windows Resilient File System (ReFS) Deduplication Service. The flaw is classified as a double free condition [CWE-415] in the service responsible for identifying and consolidating duplicate data blocks on ReFS volumes. A local attacker who successfully exploits the issue can elevate privileges on the affected host. Microsoft published the advisory on February 11, 2025 and rates the issue High with a CVSS 3.1 base score of 7.4. Attack complexity is High because exploitation depends on winning a race or controlling specific memory conditions during deduplication operations.
Critical Impact
Successful exploitation grants the attacker high impact on confidentiality, integrity, and availability of the affected Windows 11 24H2 or Windows Server 2025 system.
Affected Products
- Microsoft Windows 11 version 24H2
- Microsoft Windows Server 2025 (x64)
- Systems with the ReFS Deduplication Service component enabled
Discovery Timeline
- 2025-02-11 - Microsoft publishes advisory and security update for CVE-2025-21182
- 2025-02-11 - CVE-2025-21182 published to NVD
- 2025-02-25 - Last updated in NVD database
Technical Details for CVE-2025-21182
Vulnerability Analysis
The vulnerability resides in the ReFS Deduplication Service, a background component that scans ReFS volumes to identify duplicate data chunks and replace them with references to a single stored copy. The service handles chunk metadata, reference counts, and freelist structures in memory while processing deduplication jobs. A double free condition [CWE-415] allows the same memory region to be released twice, corrupting heap allocator state. An attacker who controls allocator behavior between the two free operations can place attacker-influenced data into a reused chunk and gain control over subsequent allocations.
Root Cause
The root cause is improper management of memory ownership during deduplication metadata processing. A code path frees a memory object and then, under specific race or error-handling conditions, frees the same object again. The second free corrupts heap metadata and can be steered toward arbitrary write primitives that lead to code execution in the security context of the deduplication service.
Attack Vector
The attack vector is local. An authenticated or unauthenticated local attacker triggers operations that the ReFS Deduplication Service processes against attacker-controlled file content or metadata on an ReFS volume. By repeatedly inducing the vulnerable code path and grooming the heap, the attacker forces the double free and pivots into privileged execution. High attack complexity reflects the need to control allocator state and timing rather than the need for elevated permissions, since PR:N indicates no prior privileges are required.
No public proof-of-concept code or exploit is available for CVE-2025-21182 at this time. Refer to the Microsoft CVE-2025-21182 Advisory for vendor technical details.
Detection Methods for CVE-2025-21182
Indicators of Compromise
- Unexpected crashes or restarts of the fsdmhost.exe or related ReFS Deduplication Service worker processes
- Heap corruption events recorded by Windows Error Reporting (WER) referencing ReFS or deduplication modules
- New privileged processes or services spawned shortly after deduplication activity on ReFS volumes
- Anomalous file creation patterns on ReFS volumes designed to maximize duplicate chunk processing
Detection Strategies
- Monitor Windows Event Logs for service crashes tied to the ReFS Deduplication Service and correlate with local user activity
- Alert on process lineage where children of the deduplication service inherit SYSTEM and execute interactive or shell binaries
- Track creation of large volumes of near-duplicate files by non-administrative users as a trigger for deduplication-targeted exploitation
Monitoring Recommendations
- Enable command-line and process creation auditing (Event ID 4688) on Windows 11 24H2 and Windows Server 2025 hosts
- Forward ReFS, kernel, and application crash telemetry to a centralized analytics platform for correlation
- Baseline normal deduplication job durations and frequencies, and alert on outliers that may indicate exploitation attempts
How to Mitigate CVE-2025-21182
Immediate Actions Required
- Apply the February 2025 Microsoft security update for Windows 11 24H2 and Windows Server 2025 as documented in the Microsoft CVE-2025-21182 Advisory
- Inventory all hosts running ReFS volumes with deduplication enabled and prioritize them for patching
- Restrict local interactive logon on servers that host ReFS deduplicated volumes to administrative accounts only
Patch Information
Microsoft released a security update addressing CVE-2025-21182 on February 11, 2025. The fix corrects the memory management logic in the ReFS Deduplication Service to prevent the same allocation from being freed twice. Administrators should deploy the cumulative update for Windows 11 24H2 and Windows Server 2025 through Windows Update, WSUS, or their endpoint management tooling.
Workarounds
- Disable the ReFS Deduplication Service on hosts where the feature is not required until the patch is applied
- Limit which users can create files on ReFS volumes that are scheduled for deduplication
- Enforce least privilege so that standard users cannot stage workloads designed to trigger deduplication code paths
# Check ReFS deduplication status and disable on a specific volume (PowerShell, run as Administrator)
Get-DedupStatus
Disable-DedupVolume -Volume "D:"
Get-DedupVolume
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
