Description
In the Linux kernel, the following vulnerability has been resolved:

fs: ntfs3: check return value of indx_find to avoid infinite loop

We found an infinite loop bug in the ntfs3 file system that can lead to a
Denial-of-Service (DoS) condition.

A malformed dentry in the ntfs3 filesystem can cause the kernel to hang
during the lookup operations. By setting the HAS_SUB_NODE flag in an
INDEX_ENTRY within a directory's INDEX_ALLOCATION block and manipulating the
VCN pointer, an attacker can cause the indx_find() function to repeatedly
read the same block, allocating 4 KB of memory each time. The kernel lacks
VCN loop detection and depth limits, causing memory exhaustion and an OOM
crash.

This patch adds a return value check for fnd_push() to prevent a memory
exhaustion vulnerability caused by infinite loops. When the index exceeds the
size of the fnd->nodes array, fnd_push() returns -EINVAL. The indx_find()
function checks this return value and stops processing, preventing further
memory allocation.
Published: 2026-03-18
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an infinite loop in the Linux kernel’s ntfs3 file‑system driver. A malformed directory entry can set a flag and change a pointer so that the lookup routine repeatedly reads the same block, allocating an additional 4 KB of memory on each iteration. Because the kernel lacks loop detection, the allocation continues until the system runs out of memory, triggering an out‑of‑memory kill and a kernel crash. The patch corrects this by checking the return code from a helper function, breaking the loop when an array is full, and preventing the memory exhaustion. The flaw is identified as a classic infinite‑loop problem (CWE‑835). An attacker who can supply a crafted NTFS volume that is mounted by the kernel can exploit the flaw; the kernel will hang during lookup operations and the entire system can become unresponsive. Because the exploit requires a malicious file system that the kernel mounts, the attack is local; network or remote interfaces are not involved. The result is a denial‑of‑service condition that affects the host where the volume is mounted.

Affected Systems

All Linux systems that run a kernel containing the unpatched ntfs3 driver and are capable of mounting NTFS volumes are vulnerable. No specific kernel release was listed in the CNA data, so any kernel that has not yet incorporated the described patch is potentially affected. Users should verify whether their installed kernel version contains the commit that adds the return‑value check.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity. The EPSS score of less than 1% suggests the exploitation probability is low, and the flaw is not in the CISA KEV catalog. The attack vector is local, inferred from the need to mount a malicious NTFS volume. The exploit requires only that the target system access the vulnerable file system; no network privileges or credentials are needed. Consequently, this DoS risk is primarily relevant to systems that mount or expose NTFS partitions from untrusted sources.

Generated by OpenCVE AI on May 21, 2026 at 17:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the patch that checks the return value from the fnd_push() routine. Rebuilding the kernel with the fixed code also achieves the same effect.
  • Avoid mounting NTFS3 file systems that come from unknown or untrusted sources until the kernel has been updated. If this is not possible, mount the volume only as root and deny ordinary users any access to the device.
  • Check your distribution's security advisories or kernel release notes for the specific commit that implements the fix; apply the update or patch accordingly.

Generated by OpenCVE AI on May 21, 2026 at 17:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6238-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Thu, 21 May 2026 15:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-835
CPEs cpe:2.3:o:linux:linux_kernel:5.15:-:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Thu, 19 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References

Wed, 18 Mar 2026 10:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: fs: ntfs3: check return value of indx_find to avoid infinite loop We found an infinite loop bug in the ntfs3 file system that can lead to a Denial-of-Service (DoS) condition. A malformed dentry in the ntfs3 filesystem can cause the kernel to hang during the lookup operations. By setting the HAS_SUB_NODE flag in an INDEX_ENTRY within a directory's INDEX_ALLOCATION block and manipulating the VCN pointer, an attacker can cause the indx_find() function to repeatedly read the same block, allocating 4 KB of memory each time. The kernel lacks VCN loop detection and depth limits, causing memory exhaustion and an OOM crash. This patch adds a return value check for fnd_push() to prevent a memory exhaustion vulnerability caused by infinite loops. When the index exceeds the size of the fnd->nodes array, fnd_push() returns -EINVAL. The indx_find() function checks this return value and stops processing, preventing further memory allocation.
Title fs: ntfs3: check return value of indx_find to avoid infinite loop
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T21:57:04.405Z

Reserved: 2026-03-17T09:08:18.457Z

Link: CVE-2025-71266

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T11:16:15.560

Modified: 2026-05-21T15:39:12.267

Link: CVE-2025-71266

cve-icon Redhat

Severity :

Publid Date: 2026-03-18T00:00:00Z

Links: CVE-2025-71266 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T17:30:15Z

Weaknesses