CVE-2026-43127 - Vulnerability Details

- ntfs3: fix circular locking dependency in run_unpack_ex

Description

In the Linux kernel, the following vulnerability has been resolved:

ntfs3: fix circular locking dependency in run_unpack_ex

Syzbot reported a circular locking dependency between wnd->rw_lock
(sbi->used.bitmap) and ni->file.run_lock.

The deadlock scenario:
1. ntfs_extend_mft() takes ni->file.run_lock then wnd->rw_lock.
2. run_unpack_ex() takes wnd->rw_lock then tries to acquire
ni->file.run_lock inside ntfs_refresh_zone().

This creates an AB-BA deadlock.

Fix this by using down_read_trylock() instead of down_read() when
acquiring run_lock in run_unpack_ex(). If the lock is contended,
skip ntfs_refresh_zone() - the MFT zone will be refreshed on the
next MFT operation. This breaks the circular dependency since we
never block waiting for run_lock while holding wnd->rw_lock.

Published: 2026-05-06

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the Linux kernel's NTFS3 driver. A circular lock dependency exists between the MFT zone read lock and the file run lock. If a user triggers file extensions while the NTFS driver is refreshing zones, the driver may acquire these locks in opposite order, leading to an AB‑BA deadlock. The result is a kernel stall or system hang, effectively denying service for the affected system. The weakness is a classic lock‑deadlock scenario.

Affected Systems

The issue is present in generic Linux kernel versions that contain the NTFS3 code paths described above, before the patch that replaces the blocking lock acquisition with a try‑lock. No specific distribution or kernel release is listed, so any Linux distribution using an older kernel that does not include the latest NTFS3 changes is potentially affected.

Risk and Exploitability

The attack vector is local; any user capable of performing NTFS operations on the system can trigger the deadlock by extending the MFT. While there is no documented remote exploitation path, a local attacker who can generate heavy NTFS traffic could bring the system to a halt. The EPSS value is not available and the vulnerability is not listed in CISA's KEV catalog, suggesting limited public exploitation. However, the severity can be high (functionally equivalent to a denial of service). The main risk is that a prolonged deadlock can lock out users and services until a reboot or kernel recovery is performed.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`5fc982fe7eca9d0cf7b25832450ebd4f7c8e1c36`	affected	< b014372b62237521444ee51384549bdf48b79015
`5fc982fe7eca9d0cf7b25832450ebd4f7c8e1c36`	affected	< b8d22d9d8260b0f4f4d8e2898c98037c9982ea66
`5fc982fe7eca9d0cf7b25832450ebd4f7c8e1c36`	affected	< 08ce2fee1b869ecbfbd94e0eb2630e52203a2e03
`57f7979aefdcef66326bda47e07ee0d8be64bf21`	affected	—
`db7fc56646cafe39599a4c21f1398e2bdfd5c185`	affected	—

Linux

affected

Version	Status	Constraints
`6.13`	affected	—
`0`	unaffected	< 6.13
`6.18.16`	unaffected	≤ 6.18.*
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,b014372b62237521444ee51384549bdf48b79015)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,b8d22d9d8260b0f4f4d8e2898c98037c9982ea66)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,08ce2fee1b869ecbfbd94e0eb2630e52203a2e03)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[6.18.16,6.19.0)`	unaffected	semver	—
`[6.19.6,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that incorporates the NTFS3 lock fix (e.g., apply upstream kernel updates containing commit 08ce2fee1b869ecbfbd94e0eb2630e52203a2e03).
If an immediate kernel upgrade is not possible, disable or avoid using NTFS partitions until the fix is applied, or mount them read‑only to reduce the chance of trigger events.
If delays persist, compile and replace the kernel's ntfs3 module with a patched version containing the commit, and load it manually to mitigate until a full kernel upgrade is available.

Generated by OpenCVE AI on May 7, 2026 at 04:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00017.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/08ce2fee1b869ecbfbd94e0eb2630e52203a2e03
https://git.kernel.org/stable/c/b014372b62237521444ee51384549bdf48b79015
https://git.kernel.org/stable/c/b8d22d9d8260b0f4f4d8e2898c98037c9982ea66
https://lore.kernel.org/linux-cve-announce/2026050620-CVE-2026-43127-aa44@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43127
https://www.cve.org/CVERecord?id=CVE-2026-43127

History

Thu, 07 May 2026 03:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-892

Thu, 07 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-833
References		https://lore.kernel.org/linux-cve-announce/2026050620-CVE-2026-43127-aa44@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43127 https://www.cve.org/CVERecord?id=CVE-2026-43127

Wed, 06 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-892

Wed, 06 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ntfs3: fix circular locking dependency in run_unpack_ex Syzbot reported a circular locking dependency between wnd->rw_lock (sbi->used.bitmap) and ni->file.run_lock. The deadlock scenario: 1. ntfs_extend_mft() takes ni->file.run_lock then wnd->rw_lock. 2. run_unpack_ex() takes wnd->rw_lock then tries to acquire ni->file.run_lock inside ntfs_refresh_zone(). This creates an AB-BA deadlock. Fix this by using down_read_trylock() instead of down_read() when acquiring run_lock in run_unpack_ex(). If the lock is contended, skip ntfs_refresh_zone() - the MFT zone will be refreshed on the next MFT operation. This breaks the circular dependency since we never block waiting for run_lock while holding wnd->rw_lock.
Title		ntfs3: fix circular locking dependency in run_unpack_ex
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/08ce2fee1b869ecbfbd94e0eb2630e52203a2e03 https://git.kernel.org/stable/c/b014372b62237521444ee51384549bdf48b79015 https://git.kernel.org/stable/c/b8d22d9d8260b0f4f4d8e2898c98037c9982ea66

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T11:27:16.794Z

Updated: 2026-05-07T17:14:20.303Z

Reserved: 2026-05-01T14:12:55.988Z

Link: CVE-2026-43127

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-06T12:16:29.727

Modified: 2026-05-06T13:07:51.607

Link: CVE-2026-43127

Redhat

Severity :

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43127 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-07T04:30:21Z

Weaknesses

CWE-833

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object