CVE-2025-71267 - Vulnerability Details

- fs: ntfs3: fix infinite loop triggered by zero-sized ATTR_LIST

Description

In the Linux kernel, the following vulnerability has been resolved:

fs: ntfs3: fix infinite loop triggered by zero-sized ATTR_LIST

We found an infinite loop bug in the ntfs3 file system that can lead to a
Denial-of-Service (DoS) condition.

A malformed NTFS image can cause an infinite loop when an ATTR_LIST attribute
indicates a zero data size while the driver allocates memory for it.

When ntfs_load_attr_list() processes a resident ATTR_LIST with data_size set
to zero, it still allocates memory because of al_aligned(0). This creates an
inconsistent state where ni->attr_list.size is zero, but ni->attr_list.le is
non-null. This causes ni_enum_attr_ex to incorrectly assume that no attribute
list exists and enumerates only the primary MFT record. When it finds
ATTR_LIST, the code reloads it and restarts the enumeration, repeating
indefinitely. The mount operation never completes, hanging the kernel thread.

This patch adds validation to ensure that data_size is non-zero before memory
allocation. When a zero-sized ATTR_LIST is detected, the function returns
-EINVAL, preventing a DoS vulnerability.

Published: 2026-03-18

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An infinite loop bug exists in the Linux kernel’s ntfs3 filesystem driver. When a malformed NTFS image contains an ATTR_LIST attribute with zero data size, the driver attempts to allocate memory for it, encounters an inconsistent state, and repeatedly reloads and re‑enumerates the attribute list. This causes the mount operation to hang indefinitely, effectively denying service to the affected volume.

Affected Systems

Any system running a Linux kernel with the ntfs3 driver that mounts NTFS volumes is vulnerable. Because the advisory does not list specific kernel versions, all releases prior to the patch that contain the unmodified ntfs3 code are considered affected. This includes desktop, server, and embedded Linux environments that may automatically mount removable storage devices.

Risk and Exploitability

The EPSS score is below 1% and the vulnerability is not in CISA’s KEV catalog, indicating a low likelihood of exploitation. The attack vector is inferred to involve an attacker supplying a crafted NTFS image to a system that mounts it, thereby triggering the infinite loop and hanging a kernel thread. The impact is limited to denial of service; there is no elevated privilege or data compromise. The CVSS score of 5.5 suggests moderate severity.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`be71b5cba2e6485e8959da7a9f9a44461a1bb074`	affected	< 9267d99fade76d44d4a133599524031fe684156e
`be71b5cba2e6485e8959da7a9f9a44461a1bb074`	affected	< 976e6a7c51fabf150478decbe8ef5d9a26039b7c
`be71b5cba2e6485e8959da7a9f9a44461a1bb074`	affected	< 8d8c70b57dbeda3eb165c0940b97e85373ca9354
`be71b5cba2e6485e8959da7a9f9a44461a1bb074`	affected	< 7ef219656febf5ae06ae56b1fce47ebd05f92b68
`be71b5cba2e6485e8959da7a9f9a44461a1bb074`	affected	< 9779a6eaaabdf47aa57910d352b398ad742e6a5f
`be71b5cba2e6485e8959da7a9f9a44461a1bb074`	affected	< fd508939dbca5eceefb2d0c2564beb15469572f2
`be71b5cba2e6485e8959da7a9f9a44461a1bb074`	affected	< 06909b2549d631a47fcda249d34be26f7ca1711d

Linux

affected

Version	Status	Constraints
`5.15`	affected	—
`0`	unaffected	< 5.15
`5.15.202`	unaffected	≤ 5.15.*
`6.1.165`	unaffected	≤ 6.1.*
`6.6.128`	unaffected	≤ 6.6.*
`6.12.75`	unaffected	≤ 6.12.*
`6.18.16`	unaffected	≤ 6.18.*
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,9267d99fade76d44d4a133599524031fe684156e)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,976e6a7c51fabf150478decbe8ef5d9a26039b7c)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,8d8c70b57dbeda3eb165c0940b97e85373ca9354)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,7ef219656febf5ae06ae56b1fce47ebd05f92b68)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,9779a6eaaabdf47aa57910d352b398ad742e6a5f)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,fd508939dbca5eceefb2d0c2564beb15469572f2)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,06909b2549d631a47fcda249d34be26f7ca1711d)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[5.15.202,5.16.0)`	unaffected	semver	—
`[6.1.165,6.2.0)`	unaffected	semver	—
`[6.6.128,6.7.0)`	unaffected	semver	—
`[6.12.75,6.13.0)`	unaffected	semver	—
`[6.18.16,6.19.0)`	unaffected	semver	—
`[6.19.6,6.20.0)`	unaffected	semver	—
`[7.0-rc1,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the kernel to a version that includes the ntfs3 fix patch
If a kernel upgrade cannot be applied immediately, avoid mounting NTFS volumes that could contain untrusted data until the patch is deployed
If the vulnerability is triggered, terminate the hung mount process or reboot the system to clear the blocked kernel thread
Monitor system logs for repeated mount failures or kernel hangs that may indicate exploitation attempts

Generated by OpenCVE AI on May 21, 2026 at 21:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4561-1	linux-6.1 security update
Debian DSA	DSA-6238-1	linux security update
Debian DSA	DSA-6243-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/06909b2549d631a47fcda249d34be26f7ca1711d
https://git.kernel.org/stable/c/7ef219656febf5ae06ae56b1fce47ebd05f92b68
https://git.kernel.org/stable/c/8d8c70b57dbeda3eb165c0940b97e85373ca9354
https://git.kernel.org/stable/c/9267d99fade76d44d4a133599524031fe684156e
https://git.kernel.org/stable/c/976e6a7c51fabf150478decbe8ef5d9a26039b7c
https://git.kernel.org/stable/c/9779a6eaaabdf47aa57910d352b398ad742e6a5f
https://git.kernel.org/stable/c/fd508939dbca5eceefb2d0c2564beb15469572f2
https://lore.kernel.org/linux-cve-announce/2026031816-CVE-2025-71267-2a56@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2025-71267
https://www.cve.org/CVERecord?id=CVE-2025-71267

History

Thu, 21 May 2026 20:15:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-20 CWE-666

Thu, 21 May 2026 18:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-835
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Sun, 29 Mar 2026 20:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-20 CWE-666

Fri, 27 Mar 2026 20:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-758

Fri, 27 Mar 2026 08:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-758

Thu, 26 Mar 2026 14:00:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-20 CWE-770

Thu, 26 Mar 2026 12:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-20 CWE-770

Wed, 25 Mar 2026 22:00:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-668 CWE-674

Wed, 25 Mar 2026 15:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-668 CWE-674

Wed, 25 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-382 CWE-681 CWE-682

Tue, 24 Mar 2026 13:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-382 CWE-681 CWE-682

Thu, 19 Mar 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026031816-CVE-2025-71267-2a56@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2025-71267 https://www.cve.org/CVERecord?id=CVE-2025-71267

Wed, 18 Mar 2026 10:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: fs: ntfs3: fix infinite loop triggered by zero-sized ATTR_LIST We found an infinite loop bug in the ntfs3 file system that can lead to a Denial-of-Service (DoS) condition. A malformed NTFS image can cause an infinite loop when an ATTR_LIST attribute indicates a zero data size while the driver allocates memory for it. When ntfs_load_attr_list() processes a resident ATTR_LIST with data_size set to zero, it still allocates memory because of al_aligned(0). This creates an inconsistent state where ni->attr_list.size is zero, but ni->attr_list.le is non-null. This causes ni_enum_attr_ex to incorrectly assume that no attribute list exists and enumerates only the primary MFT record. When it finds ATTR_LIST, the code reloads it and restarts the enumeration, repeating indefinitely. The mount operation never completes, hanging the kernel thread. This patch adds validation to ensure that data_size is non-zero before memory allocation. When a zero-sized ATTR_LIST is detected, the function returns -EINVAL, preventing a DoS vulnerability.
Title		fs: ntfs3: fix infinite loop triggered by zero-sized ATTR_LIST
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/06909b2549d631a47fcda249d34be26f7ca1711d https://git.kernel.org/stable/c/7ef219656febf5ae06ae56b1fce47ebd05f92b68 https://git.kernel.org/stable/c/8d8c70b57dbeda3eb165c0940b97e85373ca9354 https://git.kernel.org/stable/c/9267d99fade76d44d4a133599524031fe684156e https://git.kernel.org/stable/c/976e6a7c51fabf150478decbe8ef5d9a26039b7c https://git.kernel.org/stable/c/9779a6eaaabdf47aa57910d352b398ad742e6a5f https://git.kernel.org/stable/c/fd508939dbca5eceefb2d0c2564beb15469572f2

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-03-18T10:05:04.008Z

Updated: 2026-05-11T21:57:05.561Z

Reserved: 2026-03-17T09:08:18.457Z

Link: CVE-2025-71267

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-03-18T11:16:15.720

Modified: 2026-05-21T18:28:40.587

Link: CVE-2025-71267

Redhat

Severity :

Publid Date: 2026-03-18T00:00:00Z

Links: CVE-2025-71267 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-21T21:30:19Z

Weaknesses

CWE-835

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object