Description
In the Linux kernel, the following vulnerability has been resolved:

fs: ntfs3: check return value of indx_find to avoid infinite loop

We found an infinite loop bug in the ntfs3 file system that can lead to a
Denial-of-Service (DoS) condition.

A malformed dentry in the ntfs3 filesystem can cause the kernel to hang
during the lookup operations. By setting the HAS_SUB_NODE flag in an
INDEX_ENTRY within a directory's INDEX_ALLOCATION block and manipulating the
VCN pointer, an attacker can cause the indx_find() function to repeatedly
read the same block, allocating 4 KB of memory each time. The kernel lacks
VCN loop detection and depth limits, causing memory exhaustion and an OOM
crash.

This patch adds a return value check for fnd_push() to prevent a memory
exhaustion vulnerability caused by infinite loops. When the index exceeds the
size of the fnd->nodes array, fnd_push() returns -EINVAL. The indx_find()
function checks this return value and stops processing, preventing further
memory allocation.
Published: 2026-03-18
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

The vulnerability is an infinite loop in the ntfs3 filesystem driver of the Linux kernel. A maliciously crafted dentry can set the HAS_SUB_NODE flag and manipulate the VCN pointer in an INDEX_ENTRY so that the indx_find() routine repeatedly reads the same block. Each iteration allocates an additional 4 KB of memory without any loop detection or depth limits, exhausting kernel memory and triggering an OOM kill. The problem is mitigated by checking the return value of fnd_push() so that when the index exceeds the fnd->nodes array, the function returns -EINVAL and the loop is terminated. This prevents the memory exhaustion and kernel crash that would otherwise result.

Affected Systems

All Linux systems that use the Linux kernel and are capable of mounting NTFS3 file systems are affected. No specific kernel versions are listed in the CNA data, so any kernel that contains the unpatched ntfs3 driver is potentially vulnerable. Users should verify whether their kernel contains the patch by checking the commit referenced in the CVE description or the kernel release notes.

Risk and Exploitability

The CVSS score is not provided, and the EPSS score is unavailable. The vulnerability is not listed in the CISA KEV catalog. The attack vector is local: an attacker must be able to provide a malformed NTFS file system, either by creating a malicious volume or by compromising a system that mounts an untrusted volume. Once the malicious ATA volume is mounted, the kernel will hang during lookup operations, leading to a denial-of-service condition. The exploit requires file system manipulation and no network or web interface; therefore the risk is high for systems that mount untrusted NTFS volumes or run with insufficient isolation.

Generated by OpenCVE AI on March 18, 2026 at 11:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch that implements the fnd_push() return value check; obtain a kernel update that includes the referenced patch commit.
  • Avoid mounting NTFS3 file systems that originate from untrusted or unknown sources until the kernel is updated.
  • If an update is not immediately possible, restrict access to the device so that only trusted users can mount it.
  • Check vendor or distribution security advisories for updates or additional mitigations.

Generated by OpenCVE AI on March 18, 2026 at 11:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References

Wed, 18 Mar 2026 10:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: fs: ntfs3: check return value of indx_find to avoid infinite loop We found an infinite loop bug in the ntfs3 file system that can lead to a Denial-of-Service (DoS) condition. A malformed dentry in the ntfs3 filesystem can cause the kernel to hang during the lookup operations. By setting the HAS_SUB_NODE flag in an INDEX_ENTRY within a directory's INDEX_ALLOCATION block and manipulating the VCN pointer, an attacker can cause the indx_find() function to repeatedly read the same block, allocating 4 KB of memory each time. The kernel lacks VCN loop detection and depth limits, causing memory exhaustion and an OOM crash. This patch adds a return value check for fnd_push() to prevent a memory exhaustion vulnerability caused by infinite loops. When the index exceeds the size of the fnd->nodes array, fnd_push() returns -EINVAL. The indx_find() function checks this return value and stops processing, preventing further memory allocation.
Title fs: ntfs3: check return value of indx_find to avoid infinite loop
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-13T06:02:32.286Z

Reserved: 2026-03-17T09:08:18.457Z

Link: CVE-2025-71266

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-18T11:16:15.560

Modified: 2026-03-18T14:52:44.227

Link: CVE-2025-71266

cve-icon Redhat

Severity :

Publid Date: 2026-03-18T00:00:00Z

Links: CVE-2025-71266 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:59:01Z

Weaknesses

No weakness.