Description
In the Linux kernel, the following vulnerability has been resolved:

fs/ntfs3: fix ntfs_mount_options leak in ntfs_fill_super()

In ntfs_fill_super(), the fc->fs_private pointer is set to NULL without
first freeing the memory it points to. This causes the subsequent call to
ntfs_fs_free() to skip freeing the ntfs_mount_options structure.

This results in a kmemleak report:

unreferenced object 0xff1100015378b800 (size 32):
comm "mount", pid 582, jiffies 4294890685
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 ed ff ed ff 00 04 00 00 ................
backtrace (crc ed541d8c):
__kmalloc_cache_noprof+0x424/0x5a0
__ntfs_init_fs_context+0x47/0x590
alloc_fs_context+0x5d8/0x960
__x64_sys_fsopen+0xb1/0x190
do_syscall_64+0x50/0x1f0
entry_SYSCALL_64_after_hwframe+0x76/0x7e

This issue can be reproduced using the following commands:
fallocate -l 100M test.file
mount test.file /tmp/test

Since sbi->options is duplicated from fc->fs_private and does not
directly use the memory allocated for fs_private, it is unnecessary to
set fc->fs_private to NULL.

Additionally, this patch simplifies the code by utilizing the helper
function put_mount_options() instead of open-coding the cleanup logic.
Published: 2026-05-27
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel’s ntfs_fill_super() function fails to free the memory that stores NTFS mount options because it sets its pointer to NULL without deallocating the existing data. This oversight causes kmemleak to report an unreferenced object containing the leaked data. The defect does not introduce memory corruption or unauthorized access; it simply allows a memory leak to persist.

Affected Systems

All Linux kernel builds that include the fs/ntfs3 subsystem and lack the commit referenced by the patch (dac871d833b09495198dcac81d2ebaa8db11acbc) are affected. The specific kernel versions susceptible to the leak cannot be enumerated from the available data, but any kernel without this patch exposes the issue.

Risk and Exploitability

The CVE is not listed in CISA’s KEV catalog, and no EPSS score is available. The likely attack vector involves a local privileged process that performs a mount operation on an NTFS image, as demonstrated by the reproduction steps provided. Because the vulnerability does not grant remote code execution or privilege escalation and only results in a memory leak detectable by kmemleak, the overall risk is considered low, contingent on update or mitigation measures.

Generated by OpenCVE AI on May 27, 2026 at 15:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to the latest version that includes the ntfs_mount_options leak fix.
  • If a kernel update is not immediately possible, restrict or disable installation of NTFS filesystems by adjusting kernel configuration or applying local access control policies.
  • Monitor kernel logs for kmemleak reports or unexpected mount activity to detect ongoing use of the vulnerable path.

Generated by OpenCVE AI on May 27, 2026 at 15:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: fix ntfs_mount_options leak in ntfs_fill_super() In ntfs_fill_super(), the fc->fs_private pointer is set to NULL without first freeing the memory it points to. This causes the subsequent call to ntfs_fs_free() to skip freeing the ntfs_mount_options structure. This results in a kmemleak report: unreferenced object 0xff1100015378b800 (size 32): comm "mount", pid 582, jiffies 4294890685 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 ed ff ed ff 00 04 00 00 ................ backtrace (crc ed541d8c): __kmalloc_cache_noprof+0x424/0x5a0 __ntfs_init_fs_context+0x47/0x590 alloc_fs_context+0x5d8/0x960 __x64_sys_fsopen+0xb1/0x190 do_syscall_64+0x50/0x1f0 entry_SYSCALL_64_after_hwframe+0x76/0x7e This issue can be reproduced using the following commands: fallocate -l 100M test.file mount test.file /tmp/test Since sbi->options is duplicated from fc->fs_private and does not directly use the memory allocated for fs_private, it is unnecessary to set fc->fs_private to NULL. Additionally, this patch simplifies the code by utilizing the helper function put_mount_options() instead of open-coding the cleanup logic.
Title fs/ntfs3: fix ntfs_mount_options leak in ntfs_fill_super()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T12:24:03.532Z

Reserved: 2026-05-27T12:23:27.414Z

Link: CVE-2025-71312

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:16:43.763

Modified: 2026-05-27T14:48:31.480

Link: CVE-2025-71312

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T16:15:05Z

Weaknesses