CVE-2026-45935 - Vulnerability Details

- fs/ntfs3: Fix slab-out-of-bounds read in DeleteIndexEntryRoot

Description

In the Linux kernel, the following vulnerability has been resolved:

fs/ntfs3: Fix slab-out-of-bounds read in DeleteIndexEntryRoot

In the 'DeleteIndexEntryRoot' case of the 'do_action' function, the
entry size ('esize') is retrieved from the log record without adequate
bounds checking.

Specifically, the code calculates the end of the entry ('e2') using:
e2 = Add2Ptr(e1, esize);

It then calculates the size for memmove using 'PtrOffset(e2, ...)',
which subtracts the end pointer from the buffer limit. If 'esize' is
maliciously large, 'e2' exceeds the used buffer size. This results in
a negative offset which, when cast to size_t for memmove, interprets
as a massive unsigned integer, leading to a heap buffer overflow.

This commit adds a check to ensure that the entry size ('esize') strictly
fits within the remaining used space of the index header before performing
memory operations.

Published: 2026-05-27

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A malformed NTFS filesystem entry can cause the ntfs3 driver to read an excessively large entry size in the DeleteIndexEntryRoot routine. The missing bounds check allows the code to compute a pointer beyond the buffer and later use it as the size in a memmove, which interprets the negative offset as a huge unsigned value and writes past the allocated heap area. This kernel‑heap buffer overflow can corrupt kernel memory and is a known way to gain high‑privilege code execution on the host.

Affected Systems

All Linux kernel releases that contain the ntfs3 driver before the patch are affected. The vulnerability exists in the core NTFS filesystem driver shipped with the Linux kernel. No specific version numbers are listed, so any unpatched kernel that still uses the vulnerable code path (including mainstream distributions’ default kernels) should be considered at risk until a fix is applied.

Risk and Exploitability

The CVSS score is not provided and EPSS is not available, but the presence of a kernel‑level heap overflow implies a high impact if exploited. The vulnerability is listed as not included in CISA’s KEV catalog. Exploitation would require the attacker to present a crafted NTFS volume containing a malicious index entry; a local attacker with access to the USB or disk device could supply it. In environments where the system mounts such a volume over a network share or accepts external devices, remote exploitation may be possible. An unpatched kernel is therefore at significant risk of privilege escalation or arbitrary code execution.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`b46acd6a6a627d876898e1c84d3f84902264b445`	affected	< 36c03f7f177b34d51f1cf1d2304b1074607bf4b0
`b46acd6a6a627d876898e1c84d3f84902264b445`	affected	< b271c9cb85927210b1b799e55ee7f702d12b4336
`b46acd6a6a627d876898e1c84d3f84902264b445`	affected	< a584b9d1059b29e97e17c919274e9adfb846f2a0
`b46acd6a6a627d876898e1c84d3f84902264b445`	affected	< c065541b71b79874c83d418a9acd18ad5826339b
`b46acd6a6a627d876898e1c84d3f84902264b445`	affected	< 78942172d5bff4d4afed8674abc09cc560ce44a0
`b46acd6a6a627d876898e1c84d3f84902264b445`	affected	< f3b437a4c3e022a1449658ae9f3dd34859894513
`b46acd6a6a627d876898e1c84d3f84902264b445`	affected	< b2bc7c44ed1779fc9eaab9a186db0f0d01439622

Linux

affected

Version	Status	Constraints
`5.15`	affected	—
`0`	unaffected	< 5.15
`5.15.202`	unaffected	≤ 5.15.*
`6.1.165`	unaffected	≤ 6.1.*
`6.6.128`	unaffected	≤ 6.6.*
`6.12.75`	unaffected	≤ 6.12.*
`6.18.14`	unaffected	≤ 6.18.*
`6.19.4`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that includes the fix referenced in the commit logs
If upgrading is not immediately possible, unmount or remove the affected NTFS filesystem and restrict access to the device from untrusted sources
Monitor system logs for abnormal kernel activity or memory corruption events to detect exploitation attempts

Generated by OpenCVE AI on May 27, 2026 at 16:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/36c03f7f177b34d51f1cf1d2304b1074607bf4b0
https://git.kernel.org/stable/c/78942172d5bff4d4afed8674abc09cc560ce44a0
https://git.kernel.org/stable/c/a584b9d1059b29e97e17c919274e9adfb846f2a0
https://git.kernel.org/stable/c/b271c9cb85927210b1b799e55ee7f702d12b4336
https://git.kernel.org/stable/c/b2bc7c44ed1779fc9eaab9a186db0f0d01439622
https://git.kernel.org/stable/c/c065541b71b79874c83d418a9acd18ad5826339b
https://git.kernel.org/stable/c/f3b437a4c3e022a1449658ae9f3dd34859894513

History

Wed, 27 May 2026 16:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-119 CWE-125

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Fix slab-out-of-bounds read in DeleteIndexEntryRoot In the 'DeleteIndexEntryRoot' case of the 'do_action' function, the entry size ('esize') is retrieved from the log record without adequate bounds checking. Specifically, the code calculates the end of the entry ('e2') using: e2 = Add2Ptr(e1, esize); It then calculates the size for memmove using 'PtrOffset(e2, ...)', which subtracts the end pointer from the buffer limit. If 'esize' is maliciously large, 'e2' exceeds the used buffer size. This results in a negative offset which, when cast to size_t for memmove, interprets as a massive unsigned integer, leading to a heap buffer overflow. This commit adds a check to ensure that the entry size ('esize') strictly fits within the remaining used space of the index header before performing memory operations.
Title		fs/ntfs3: Fix slab-out-of-bounds read in DeleteIndexEntryRoot
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/36c03f7f177b34d51f1cf1d2304b1074607bf4b0 https://git.kernel.org/stable/c/78942172d5bff4d4afed8674abc09cc560ce44a0 https://git.kernel.org/stable/c/a584b9d1059b29e97e17c919274e9adfb846f2a0 https://git.kernel.org/stable/c/b271c9cb85927210b1b799e55ee7f702d12b4336 https://git.kernel.org/stable/c/b2bc7c44ed1779fc9eaab9a186db0f0d01439622 https://git.kernel.org/stable/c/c065541b71b79874c83d418a9acd18ad5826339b https://git.kernel.org/stable/c/f3b437a4c3e022a1449658ae9f3dd34859894513

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:17:52.705Z

Updated: 2026-05-27T12:17:52.705Z

Reserved: 2026-05-13T15:03:33.086Z

Link: CVE-2026-45935

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:09.613

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-45935

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T16:30:36Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object