Description
In the Linux kernel, the following vulnerability has been resolved:

fs/ntfs3: validate rec->used in journal-replay file record check

check_file_record() validates rec->total against the record size but
never validates rec->used. The do_action() journal-replay handlers read
rec->used from disk and use it to compute memmove lengths:

DeleteAttribute: memmove(attr, ..., used - asize - roff)
CreateAttribute: memmove(..., attr, used - roff)
change_attr_size: memmove(..., used - PtrOffset(rec, next))

When rec->used is smaller than the offset of a validated attribute, or
larger than the record size, these subtractions can underflow allowing
us to copy huge amounts of memory in to a 4kb buffer, generally
considered a bad idea overall.

This requires a corrupted filesystem, which isn't a threat model the
kernel really needs to worry about, but checking for such an obvious
out-of-bounds value is good to keep things robust, especially on journal
replay

Fix this up by bounding rec->used correctly.

This is much like commit b2bc7c44ed17 ("fs/ntfs3: Fix slab-out-of-bounds
read in DeleteIndexEntryRoot") which checked different values in this
same switch statement.
Published: 2026-05-01
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The bug resides in the NTFS3 driver of the Linux kernel; the function that checks file record headers validates only the total size of a record, not the used field. When the used value is extracted from disk and used to compute the length of a memmove, a subtraction can underflow. This causes the kernel to copy data into a fixed 4 KB buffer that may then contain data far beyond the intended size, potentially corrupting nearby kernel memory. The vulnerability is an example of an out‑of‑bounds write that can lead to memory overwrite in kernel space.

Affected Systems

All Linux systems that load the NTFS3 driver are affected. The vulnerability is present in the generic Linux kernel tree, so any distribution that includes the ntfs3 module before the patch is susceptible. No specific kernel version information is given, so the issue applies to any kernel build that has not yet incorporated the bounds check.

Risk and Exploitability

The flaw requires a corrupted NTFS filesystem; no remote attacker interfaces are described. The likely attack vector is a local attacker who can create or manipulate NTFS data that triggers journal replay after the system reboots or during an ongoing session. EPSS data is currently unavailable, and the issue is not listed in the CISA KEV catalog. Thus, exploitation would depend on local or privileged access to a system with a damaged NTFS partition that undergoes journal replay, and the overall risk is moderate for such environments.

Generated by OpenCVE AI on May 2, 2026 at 10:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install a Linux kernel release that includes the ntfs3 rec->used bounds check
  • Run a filesystem check on any affected NTFS partitions, for example with ntfsfix or fsck.ntfs, to detect and repair corrupted records
  • After applying the kernel update, reboot the system to load the patched code and verify that journal‑replay errors no longer occur in system logs

Generated by OpenCVE AI on May 2, 2026 at 10:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
References

Fri, 01 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: validate rec->used in journal-replay file record check check_file_record() validates rec->total against the record size but never validates rec->used. The do_action() journal-replay handlers read rec->used from disk and use it to compute memmove lengths: DeleteAttribute: memmove(attr, ..., used - asize - roff) CreateAttribute: memmove(..., attr, used - roff) change_attr_size: memmove(..., used - PtrOffset(rec, next)) When rec->used is smaller than the offset of a validated attribute, or larger than the record size, these subtractions can underflow allowing us to copy huge amounts of memory in to a 4kb buffer, generally considered a bad idea overall. This requires a corrupted filesystem, which isn't a threat model the kernel really needs to worry about, but checking for such an obvious out-of-bounds value is good to keep things robust, especially on journal replay Fix this up by bounding rec->used correctly. This is much like commit b2bc7c44ed17 ("fs/ntfs3: Fix slab-out-of-bounds read in DeleteIndexEntryRoot") which checked different values in this same switch statement.
Title fs/ntfs3: validate rec->used in journal-replay file record check
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-01T13:56:11.263Z

Reserved: 2026-03-09T15:48:24.133Z

Link: CVE-2026-31716

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-01T14:16:21.743

Modified: 2026-05-01T15:24:14.893

Link: CVE-2026-31716

cve-icon Redhat

Severity :

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31716 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T20:00:11Z

Weaknesses