Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-50158

CVE-2025-50158: Windows 10 1507 Race Condition Vulnerability

CVE-2025-50158 is a time-of-check time-of-use race condition in Windows 10 1507 NTFS that enables local attackers to disclose sensitive information. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2025-50158 Overview

CVE-2025-50158 is a time-of-check time-of-use (TOCTOU) race condition in the Windows NTFS file system driver. The flaw allows a local, unauthorized attacker to disclose sensitive information by exploiting a timing window between when NTFS validates a resource and when it accesses that resource. Successful exploitation requires user interaction and high attack complexity, but a wide range of supported Windows client and server platforms are affected, from Windows 10 1507 through Windows Server 2025. Microsoft tracks the issue under CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition.

Critical Impact

A local attacker who wins the race window can read kernel or other privileged memory contents handled by NTFS, leading to disclosure of sensitive operating system data.

Affected Products

  • Microsoft Windows 10 (1507, 1607, 1809, 21H2, 22H2)
  • Microsoft Windows 11 (22H2, 23H2, 24H2)
  • Microsoft Windows Server 2008, 2012, 2016, 2019, 2022, 2022 23H2, and 2025

Discovery Timeline

  • 2025-08-12 - CVE-2025-50158 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-50158

Vulnerability Analysis

The vulnerability resides in the NTFS file system driver, which manages on-disk metadata structures and access control checks for Windows volumes. NTFS validates the state of a file or metadata object at one point in execution, then operates on that object at a later point. Between those two operations, an attacker running on the same host can modify the targeted object to change its identity, attributes, or contents. When NTFS later uses the now-altered object, it leaks data that the calling thread should not be authorized to read.

The access vector is local and the impact is rated high across confidentiality, integrity, and availability. The attack complexity is high because exploitation depends on winning a narrow timing window and requires user interaction, such as opening a crafted file or mounted volume.

Root Cause

The root cause is non-atomic handling of file system state inside NTFS. Validation logic and consumption logic operate on shared, mutable structures without sufficient locking or re-validation. This pattern is classified as CWE-367 and is characteristic of kernel-mode race conditions where a check on a path, handle, or metadata object becomes stale before the dependent operation completes.

Attack Vector

A local attacker prepares a crafted NTFS structure, such as a malicious volume, image, or file, and induces a victim to interact with it. While NTFS processes the structure, the attacker concurrently mutates the underlying object from another thread. Winning the race causes NTFS to return or process data that bypasses the original security check, disclosing memory or file content that should remain protected. No exploit code or in-the-wild activity is reported in the Microsoft advisory at this time.

Detection Methods for CVE-2025-50158

Indicators of Compromise

  • Unexpected mounting of VHD, VHDX, or ISO files containing NTFS volumes from user-writable directories.
  • Repeated, high-frequency file handle operations against the same NTFS object from a non-system process, consistent with race-window probing.
  • Kernel pool or NTFS driver fault events (Ntfs.sys bug checks) correlated with user-initiated file open activity.

Detection Strategies

  • Hunt for processes that programmatically attach virtual disks using Mount-DiskImage, Add-DiskImage, or VirtualDisk APIs from non-administrative contexts.
  • Alert on user-mode binaries opening, reading, and rewriting NTFS metadata files ($MFT, $LogFile, reparse points) in tight loops.
  • Correlate user interaction events such as Explorer file opens against subsequent kernel anomalies tied to Ntfs.sys.

Monitoring Recommendations

  • Enable Windows audit policies for file system and handle manipulation, and forward the events to a centralized analytics platform.
  • Monitor Sysmon events 1, 11, and 23 for suspicious child processes spawned after a user opens a mounted disk image.
  • Track patch compliance for all systems listed in the Microsoft advisory and flag hosts missing the August 2025 cumulative update.

How to Mitigate CVE-2025-50158

Immediate Actions Required

  • Apply the August 2025 Microsoft security updates referenced in the Microsoft CVE-2025-50158 Advisory to all affected Windows client and server systems.
  • Prioritize patching of multi-user systems, terminal servers, and shared workstations where local users are most likely to interact with attacker-supplied files.
  • Restrict the ability of standard users to mount arbitrary disk images, ISOs, and VHDX files via Group Policy or AppLocker.

Patch Information

Microsoft has released fixes for all impacted versions, including Windows 10 (1507, 1607, 1809, 21H2, 22H2), Windows 11 (22H2, 23H2, 24H2), and Windows Server 2008 through 2025. Identify the correct cumulative or monthly rollup for each operating system build in the vendor advisory and validate installation by checking the build number after reboot.

Workarounds

  • Block users from opening untrusted ISO, IMG, VHD, and VHDX files using Attack Surface Reduction rules and email gateway policies.
  • Disable automatic mounting of removable and virtual disk media on high-value endpoints until patches are deployed.
  • Reduce the number of interactive local user sessions on servers, since the vulnerability requires local access with user interaction.
bash
# Verify the NTFS driver version after patching (PowerShell)
Get-Item C:\Windows\System32\drivers\Ntfs.sys |
  Select-Object Name, VersionInfo

# Block standard users from mounting ISO and VHD files via Group Policy
# Computer Configuration > Administrative Templates > System >
#   Removable Storage Access > "All Removable Storage classes: Deny all access" = Enabled

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.