Description
In the Linux kernel, the following vulnerability has been resolved:

fs: ntfs3: fix infinite loop in attr_load_runs_range on inconsistent metadata

We found an infinite loop bug in the ntfs3 file system that can lead to a
Denial-of-Service (DoS) condition.

A malformed NTFS image can cause an infinite loop when an attribute header
indicates an empty run list, while directory entries reference it as
containing actual data. In NTFS, setting evcn=-1 with svcn=0 is a valid way
to represent an empty run list, and run_unpack() correctly handles this by
checking if evcn + 1 equals svcn and returning early without parsing any run
data. However, this creates a problem when there is metadata inconsistency,
where the attribute header claims to be empty (evcn=-1) but the caller
expects to read actual data. When run_unpack() immediately returns success
upon seeing this condition, it leaves the runs_tree uninitialized with
run->runs as a NULL. The calling function attr_load_runs_range() assumes
that a successful return means that the runs were loaded and sets clen to 0,
expecting the next run_lookup_entry() call to succeed. Because runs_tree
remains uninitialized, run_lookup_entry() continues to fail, and the loop
increments vcn by zero (vcn += 0), leading to an infinite loop.

This patch adds a retry counter to detect when run_lookup_entry() fails
consecutively after attr_load_runs_vcn(). If the run is still not found on
the second attempt, it indicates corrupted metadata and returns -EINVAL,
preventing the Denial-of-Service (DoS) vulnerability.
Published: 2026-03-18
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

The vulnerability in the Linux kernel’s ntfs3 filesystem causes an infinite loop during attribute run loading when metadata is inconsistent. A malformed NTFS image can trigger the loop, exhausting CPU resources and leading to a denial‑of‑service condition for the affected system. The underlying flaw is an improper initialization of the runs_tree combined with unchecked input validation, allowing an attacker to craft a corrupted NTFS image that repeatedly triggers the loop until the kernel becomes unresponsive.

Affected Systems

The affected product is the Linux kernel (any version that includes the ntfs3 driver where this bug exists). Exact version details are not provided in the CVE data, so all kernel releases before the patch that handle an empty run list are potentially impacted.

Risk and Exploitability

The vulnerability is exploitable via a specially crafted NTFS image, which could be presented locally or over a network if the image is processed by the system. While no EPSS score is available, the issue is serious enough to appear in kernel advisories, and it is not listed in the CISA KEV catalog. The risk is that an attacker with sufficient access to supply a malicious NTFS image can cause system downtime without requiring elevated privileges. The patch mitigates the issue by detecting consecutive run‑lookup failures and aborting with an error instead of looping indefinitely.

Generated by OpenCVE AI on March 18, 2026 at 11:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel update that includes the ntfs3 fix. If immediate patching is not possible, avoid mounting or otherwise processing potentially corrupted NTFS images until the kernel is updated.

Generated by OpenCVE AI on March 18, 2026 at 11:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References

Wed, 18 Mar 2026 10:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: fs: ntfs3: fix infinite loop in attr_load_runs_range on inconsistent metadata We found an infinite loop bug in the ntfs3 file system that can lead to a Denial-of-Service (DoS) condition. A malformed NTFS image can cause an infinite loop when an attribute header indicates an empty run list, while directory entries reference it as containing actual data. In NTFS, setting evcn=-1 with svcn=0 is a valid way to represent an empty run list, and run_unpack() correctly handles this by checking if evcn + 1 equals svcn and returning early without parsing any run data. However, this creates a problem when there is metadata inconsistency, where the attribute header claims to be empty (evcn=-1) but the caller expects to read actual data. When run_unpack() immediately returns success upon seeing this condition, it leaves the runs_tree uninitialized with run->runs as a NULL. The calling function attr_load_runs_range() assumes that a successful return means that the runs were loaded and sets clen to 0, expecting the next run_lookup_entry() call to succeed. Because runs_tree remains uninitialized, run_lookup_entry() continues to fail, and the loop increments vcn by zero (vcn += 0), leading to an infinite loop. This patch adds a retry counter to detect when run_lookup_entry() fails consecutively after attr_load_runs_vcn(). If the run is still not found on the second attempt, it indicates corrupted metadata and returns -EINVAL, preventing the Denial-of-Service (DoS) vulnerability.
Title fs: ntfs3: fix infinite loop in attr_load_runs_range on inconsistent metadata
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-13T06:02:31.145Z

Reserved: 2026-03-17T09:08:18.457Z

Link: CVE-2025-71265

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-18T11:16:15.373

Modified: 2026-03-18T14:52:44.227

Link: CVE-2025-71265

cve-icon Redhat

Severity :

Publid Date: 2026-03-18T00:00:00Z

Links: CVE-2025-71265 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:59:02Z

Weaknesses

No weakness.