CVE-2025-71265 - Vulnerability Details

- fs: ntfs3: fix infinite loop in attr_load_runs_range on inconsistent metadata

Description

In the Linux kernel, the following vulnerability has been resolved:

fs: ntfs3: fix infinite loop in attr_load_runs_range on inconsistent metadata

We found an infinite loop bug in the ntfs3 file system that can lead to a
Denial-of-Service (DoS) condition.

A malformed NTFS image can cause an infinite loop when an attribute header
indicates an empty run list, while directory entries reference it as
containing actual data. In NTFS, setting evcn=-1 with svcn=0 is a valid way
to represent an empty run list, and run_unpack() correctly handles this by
checking if evcn + 1 equals svcn and returning early without parsing any run
data. However, this creates a problem when there is metadata inconsistency,
where the attribute header claims to be empty (evcn=-1) but the caller
expects to read actual data. When run_unpack() immediately returns success
upon seeing this condition, it leaves the runs_tree uninitialized with
run->runs as a NULL. The calling function attr_load_runs_range() assumes
that a successful return means that the runs were loaded and sets clen to 0,
expecting the next run_lookup_entry() call to succeed. Because runs_tree
remains uninitialized, run_lookup_entry() continues to fail, and the loop
increments vcn by zero (vcn += 0), leading to an infinite loop.

This patch adds a retry counter to detect when run_lookup_entry() fails
consecutively after attr_load_runs_vcn(). If the run is still not found on
the second attempt, it indicates corrupted metadata and returns -EINVAL,
preventing the Denial-of-Service (DoS) vulnerability.

Published: 2026-03-18

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability in the Linux kernel’s ntfs3 filesystem causes an infinite loop during attribute run loading when metadata is inconsistent. A malformed NTFS image can trigger the loop, exhausting CPU resources and leading to a denial‑of‑service condition for the affected system. This flaw falls under CWE‑835, reflecting an unchecked infinite loop that results from improper initialization of the runs_tree and lack of input validation. The attacker can craft a corrupted NTFS image that repeatedly triggers the loop until the kernel becomes unresponsive.

Affected Systems

The affected product is the Linux kernel (any version that includes the ntfs3 driver where this bug exists). Exact version details are not provided in the CVE data, so all kernel releases before the patch that handle an empty run list are potentially impacted.

Risk and Exploitability

The vulnerability is exploitable via a specially crafted NTFS image, which could be presented locally or over a network if the image is processed by the system. The EPSS score is below 1%, and the CVSS score of 5.5 indicates moderate severity. The issue is not listed in the CISA KEV catalog. The risk is that an attacker with sufficient access to supply a malicious NTFS image can cause system downtime without requiring elevated privileges. The patch mitigates the issue by detecting consecutive run‑lookup failures and aborting with an error instead of looping indefinitely. Note that this vulnerability aligns with CWE‑835: Infinite Loop.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`be71b5cba2e6485e8959da7a9f9a44461a1bb074`	affected	< 6f07a590616ff5f57f7c041d98e463fad9e9f763
`be71b5cba2e6485e8959da7a9f9a44461a1bb074`	affected	< a89bc96d5abd8a4a8d5d911884ea347efcdf460b
`be71b5cba2e6485e8959da7a9f9a44461a1bb074`	affected	< af839013c70a24779f9d1afb1575952009312d38
`be71b5cba2e6485e8959da7a9f9a44461a1bb074`	affected	< 78b61f7eac37a63284774b147f38dd0be6cad43c
`be71b5cba2e6485e8959da7a9f9a44461a1bb074`	affected	< c0b43c45d45f59e7faad48675a50231a210c379b
`be71b5cba2e6485e8959da7a9f9a44461a1bb074`	affected	< 3c3a6e951b9b53dab2ac460a655313cf04c4a10a
`be71b5cba2e6485e8959da7a9f9a44461a1bb074`	affected	< 4b90f16e4bb5607fb35e7802eb67874038da4640

Linux

affected

Version	Status	Constraints
`5.15`	affected	—
`0`	unaffected	< 5.15
`5.15.202`	unaffected	≤ 5.15.*
`6.1.165`	unaffected	≤ 6.1.*
`6.6.128`	unaffected	≤ 6.6.*
`6.12.75`	unaffected	≤ 6.12.*
`6.18.16`	unaffected	≤ 6.18.*
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,6f07a590616ff5f57f7c041d98e463fad9e9f763)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,a89bc96d5abd8a4a8d5d911884ea347efcdf460b)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,af839013c70a24779f9d1afb1575952009312d38)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,78b61f7eac37a63284774b147f38dd0be6cad43c)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,c0b43c45d45f59e7faad48675a50231a210c379b)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,3c3a6e951b9b53dab2ac460a655313cf04c4a10a)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,4b90f16e4bb5607fb35e7802eb67874038da4640)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[5.15.202,5.16.0)`	unaffected	semver	—
`[6.1.165,6.2.0)`	unaffected	semver	—
`[6.6.128,6.7.0)`	unaffected	semver	—
`[6.12.75,6.13.0)`	unaffected	semver	—
`[6.18.16,6.19.0)`	unaffected	semver	—
`[6.19.6,6.20.0)`	unaffected	semver	—
`[7.0-rc1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Linux kernel update that includes the ntfs3 fix.
If immediate patching is not possible, avoid mounting or processing NTFS images from untrusted or unknown sources until the kernel is updated.
If the ntfs3 module is not required, consider disabling it or mounting NTFS volumes in read‑only mode to reduce risk of exploitation.

Generated by OpenCVE AI on May 20, 2026 at 20:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4561-1	linux-6.1 security update
Debian DSA	DSA-6238-1	linux security update
Debian DSA	DSA-6243-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00015.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/3c3a6e951b9b53dab2ac460a655313cf04c4a10a
https://git.kernel.org/stable/c/4b90f16e4bb5607fb35e7802eb67874038da4640
https://git.kernel.org/stable/c/6f07a590616ff5f57f7c041d98e463fad9e9f763
https://git.kernel.org/stable/c/78b61f7eac37a63284774b147f38dd0be6cad43c
https://git.kernel.org/stable/c/a89bc96d5abd8a4a8d5d911884ea347efcdf460b
https://git.kernel.org/stable/c/af839013c70a24779f9d1afb1575952009312d38
https://git.kernel.org/stable/c/c0b43c45d45f59e7faad48675a50231a210c379b
https://lore.kernel.org/linux-cve-announce/2026031813-CVE-2025-71265-00ce@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2025-71265
https://www.cve.org/CVERecord?id=CVE-2025-71265

History

Wed, 20 May 2026 19:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-835
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Thu, 19 Mar 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026031813-CVE-2025-71265-00ce@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2025-71265 https://www.cve.org/CVERecord?id=CVE-2025-71265

Wed, 18 Mar 2026 10:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: fs: ntfs3: fix infinite loop in attr_load_runs_range on inconsistent metadata We found an infinite loop bug in the ntfs3 file system that can lead to a Denial-of-Service (DoS) condition. A malformed NTFS image can cause an infinite loop when an attribute header indicates an empty run list, while directory entries reference it as containing actual data. In NTFS, setting evcn=-1 with svcn=0 is a valid way to represent an empty run list, and run_unpack() correctly handles this by checking if evcn + 1 equals svcn and returning early without parsing any run data. However, this creates a problem when there is metadata inconsistency, where the attribute header claims to be empty (evcn=-1) but the caller expects to read actual data. When run_unpack() immediately returns success upon seeing this condition, it leaves the runs_tree uninitialized with run->runs as a NULL. The calling function attr_load_runs_range() assumes that a successful return means that the runs were loaded and sets clen to 0, expecting the next run_lookup_entry() call to succeed. Because runs_tree remains uninitialized, run_lookup_entry() continues to fail, and the loop increments vcn by zero (vcn += 0), leading to an infinite loop. This patch adds a retry counter to detect when run_lookup_entry() fails consecutively after attr_load_runs_vcn(). If the run is still not found on the second attempt, it indicates corrupted metadata and returns -EINVAL, preventing the Denial-of-Service (DoS) vulnerability.
Title		fs: ntfs3: fix infinite loop in attr_load_runs_range on inconsistent metadata
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/3c3a6e951b9b53dab2ac460a655313cf04c4a10a https://git.kernel.org/stable/c/4b90f16e4bb5607fb35e7802eb67874038da4640 https://git.kernel.org/stable/c/6f07a590616ff5f57f7c041d98e463fad9e9f763 https://git.kernel.org/stable/c/78b61f7eac37a63284774b147f38dd0be6cad43c https://git.kernel.org/stable/c/a89bc96d5abd8a4a8d5d911884ea347efcdf460b https://git.kernel.org/stable/c/af839013c70a24779f9d1afb1575952009312d38 https://git.kernel.org/stable/c/c0b43c45d45f59e7faad48675a50231a210c379b

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-03-18T10:05:01.779Z

Updated: 2026-05-11T21:57:03.198Z

Reserved: 2026-03-17T09:08:18.457Z

Link: CVE-2025-71265

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-03-18T11:16:15.373

Modified: 2026-05-20T19:43:23.257

Link: CVE-2025-71265

Redhat

Severity :

Publid Date: 2026-03-18T00:00:00Z

Links: CVE-2025-71265 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-20T21:00:12Z

Weaknesses

CWE-835

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object