Description
Heap-based buffer overflow in Windows Resilient File System (ReFS) allows an authorized attacker to execute code over a network.
Published: 2025-12-09
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

This vulnerability is a heap-based buffer overflow (CWE-122) in the Windows Resilient File System (ReFS), allowing an authorized attacker to execute arbitrary code over a network connection. The flaw can lead to full compromise of confidentiality, integrity, and availability on affected systems by permitting the attacker to run malicious instructions with the privileges of the executing process.

Affected Systems

Affected systems include Microsoft Windows 11 versions 23H2, 24H2, 25H2 and 22H3, as well as Microsoft Windows Server 2022, the 2022 23H2 Server Core edition, and Microsoft Windows Server 2025 in both standard and Server Core installations. All of these product lines expose the ReFS component that contains the heap overflow bug.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, and the EPSS score of < 1% suggests that exploitation is unlikely but not impossible. The vulnerability is not listed in the CISA KEV catalog. Attackers must have authorized network access to an affected system and require sufficient privileges to trigger the overflow, implying the risk applies primarily to systems already compromised or to privileged users on the network.

Generated by OpenCVE AI on April 20, 2026 at 16:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the most recent Windows security update that addresses CVE-2025-62456 to all Windows 11 and Windows Server 2022/2025 installations.
  • Restrict or disable the use of ReFS on network shares that are exposed to untrusted or remote participants.
  • Enable detailed file system auditing and monitor ReFS-related events for signs of anomalous activity.

Generated by OpenCVE AI on April 20, 2026 at 16:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows Server 2022 23h2
CPEs cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:*:*
Vendors & Products Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows Server 2022 23h2

Tue, 09 Dec 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Dec 2025 18:15:00 +0000

Type Values Removed Values Added
Description Heap-based buffer overflow in Windows Resilient File System (ReFS) allows an authorized attacker to execute code over a network.
Title Windows Resilient File System (ReFS) Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows Server 2022
Microsoft windows Server 2025
Microsoft windows Server 23h2
Weaknesses CWE-122
CPEs cpe:2.3:o:microsoft:windows_11_23H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_23H2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_11_24H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_25H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_23h2:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows Server 2022
Microsoft windows Server 2025
Microsoft windows Server 23h2
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Windows 11 23h2 Windows 11 23h2 Windows 11 24h2 Windows 11 24h2 Windows 11 25h2 Windows 11 25h2 Windows Server 2022 Windows Server 2022 23h2 Windows Server 2025 Windows Server 23h2
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-16T14:18:20.423Z

Reserved: 2025-10-14T18:24:58.483Z

Link: CVE-2025-62456

cve-icon Vulnrichment

Updated: 2025-12-09T20:18:22.160Z

cve-icon NVD

Status : Analyzed

Published: 2025-12-09T18:15:57.143

Modified: 2025-12-12T20:03:27.840

Link: CVE-2025-62456

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T16:45:11Z

Weaknesses