Description
In the Linux kernel, the following vulnerability has been resolved:

fs/ntfs3: Fix slab-out-of-bounds read in DeleteIndexEntryRoot

In the 'DeleteIndexEntryRoot' case of the 'do_action' function, the
entry size ('esize') is retrieved from the log record without adequate
bounds checking.

Specifically, the code calculates the end of the entry ('e2') using:
e2 = Add2Ptr(e1, esize);

It then calculates the size for memmove using 'PtrOffset(e2, ...)',
which subtracts the end pointer from the buffer limit. If 'esize' is
maliciously large, 'e2' exceeds the used buffer size. This results in
a negative offset which, when cast to size_t for memmove, interprets
as a massive unsigned integer, leading to a heap buffer overflow.

This commit adds a check to ensure that the entry size ('esize') strictly
fits within the remaining used space of the index header before performing
memory operations.
Published: 2026-05-27
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The ntfs3 driver’s DeleteIndexEntryRoot routine incorrectly trusts the entry size extracted from a log record. The code calculates a pointer beyond the end of the buffer and then uses it as the size argument to memmove. When the entry size is unreasonably large, the subtraction yields a negative offset that, when cast to an unsigned size_t, becomes a large positive value, causing a heap buffer overflow. This overflow can corrupt kernel memory, making it a CWE‑805 vulnerability that can lead to privilege escalation.

Affected Systems

All Linux kernels that include the unpatched ntfs3 driver are affected. This includes the default kernel packages shipped by Linux distributions that have not yet applied the commit that adds the bounds check. No specific version numbers are listed, so any kernel running the vulnerable code is considered at risk until a patched version is installed.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity, while the EPSS score of less than 1% suggests that exploitation is unlikely at present. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that the attacker would need to supply a crafted NTFS volume containing a malicious index entry to the kernel, typically by mounting a USB or block device that contains the malicious data. If the system accepts external storage or mounts untrusted media, the attack could potentially be remote. Exploitation could allow an attacker to corrupt kernel memory and gain elevated privileges.

Generated by OpenCVE AI on May 30, 2026 at 13:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the fix referenced in the commit logs
  • If upgrading is not immediately possible, unmount or remove the affected NTFS filesystem and restrict access to the device from untrusted sources
  • Monitor system logs for abnormal kernel activity or memory corruption events to detect exploitation attempts

Generated by OpenCVE AI on May 30, 2026 at 13:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 30 May 2026 11:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Thu, 28 May 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-125

Thu, 28 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-805
References

Wed, 27 May 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-125

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Fix slab-out-of-bounds read in DeleteIndexEntryRoot In the 'DeleteIndexEntryRoot' case of the 'do_action' function, the entry size ('esize') is retrieved from the log record without adequate bounds checking. Specifically, the code calculates the end of the entry ('e2') using: e2 = Add2Ptr(e1, esize); It then calculates the size for memmove using 'PtrOffset(e2, ...)', which subtracts the end pointer from the buffer limit. If 'esize' is maliciously large, 'e2' exceeds the used buffer size. This results in a negative offset which, when cast to size_t for memmove, interprets as a massive unsigned integer, leading to a heap buffer overflow. This commit adds a check to ensure that the entry size ('esize') strictly fits within the remaining used space of the index header before performing memory operations.
Title fs/ntfs3: Fix slab-out-of-bounds read in DeleteIndexEntryRoot
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-30T10:46:04.505Z

Reserved: 2026-05-13T15:03:33.086Z

Link: CVE-2026-45935

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:09.613

Modified: 2026-05-30T11:17:16.257

Link: CVE-2026-45935

cve-icon Redhat

Severity :

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-45935 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T13:15:24Z

Weaknesses
  • CWE-805

    Buffer Access with Incorrect Length Value