CVE-2026-46072 - Vulnerability Details

- ntfs3: add buffer boundary checks to run_unpack()

Description

In the Linux kernel, the following vulnerability has been resolved:

ntfs3: add buffer boundary checks to run_unpack()

run_unpack() checks `run_buf < run_last` at the top of the while loop
but then reads size_size and offset_size bytes via run_unpack_s64()
without verifying they fit within the remaining buffer. A crafted NTFS
image with truncated run data in an MFT attribute triggers an OOB heap
read of up to 15 bytes when the filesystem is mounted.

Add boundary checks before each run_unpack_s64() call to ensure the
declared field size does not exceed the remaining buffer.

Found by fuzzing with a source-patched harness (LibAFL + QEMU).

Published: 2026-05-27

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A missing boundary check in ntfs3's run_unpack() allows a 15‑byte out‑of‑bounds heap read when a truncated NTFS image is mounted. The kernel can read beyond the allocated buffer, potentially leaking kernel memory or causing a crash. This is a classic buffer‑over‑read flaw (CWE‑126).

Affected Systems

All Linux kernel versions before the patch that introduces explicit boundary checks in ntfs3 run_unpack(). The vulnerability is tied to the generic Linux kernel and manifests in any kernel that includes the unpatched ntfs3 driver. No specific vendor or product version list beyond the kernel is provided.

Risk and Exploitability

The attack requires a crafted NTFS image that can be mounted with the ntfs3 driver. The likely attack vector is mounting that image on a local system or any system that has access to it. This inference is based on the fact that the vulnerability is triggered during filesystem mounting. No published exploit probability or CVSS score is available, and the vulnerability is not in the CISA KEV catalog. While the over‑read is limited to 15 bytes, the exposed memory may contain sensitive information or disrupt kernel stability. The actual risk depends on what kernel data is exposed and whether the attacker has higher privileges to use it.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`82cae269cfa953032fbb8980a7d554d60fb00b17`	affected	< bf7ac4a1d3bfc6e56e54635c3d331a68170d37c9
`82cae269cfa953032fbb8980a7d554d60fb00b17`	affected	< e64f7dfcaff79e7dfff9121a382dd77f9b462f62
`82cae269cfa953032fbb8980a7d554d60fb00b17`	affected	< d3012690a7065d9ca86521a525ad11e8af491d45
`82cae269cfa953032fbb8980a7d554d60fb00b17`	affected	< 41aadf5cb482793a24e05aa136224e179a778586
`82cae269cfa953032fbb8980a7d554d60fb00b17`	affected	< b62567bca47408e6739dee75f02a2113548af875

Linux

affected

Version	Status	Constraints
`5.15`	affected	—
`0`	unaffected	< 5.15
`6.6.140`	unaffected	≤ 6.6.*
`6.12.86`	unaffected	≤ 6.12.*
`6.18.27`	unaffected	≤ 6.18.*
`7.0.4`	unaffected	≤ 7.0.*
`7.1-rc1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that includes the security patch for ntfs3 run_unpack()
If an update is not immediately possible, avoid mounting suspect NTFS images or use a read‑only mount option to limit the potential impact
Run kernel integrity checks or audit logs to detect any abnormal NTFS mount activity

Generated by OpenCVE AI on May 27, 2026 at 21:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/41aadf5cb482793a24e05aa136224e179a778586
https://git.kernel.org/stable/c/b62567bca47408e6739dee75f02a2113548af875
https://git.kernel.org/stable/c/bf7ac4a1d3bfc6e56e54635c3d331a68170d37c9
https://git.kernel.org/stable/c/d3012690a7065d9ca86521a525ad11e8af491d45
https://git.kernel.org/stable/c/e64f7dfcaff79e7dfff9121a382dd77f9b462f62

History

Wed, 27 May 2026 21:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-126

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ntfs3: add buffer boundary checks to run_unpack() run_unpack() checks `run_buf < run_last` at the top of the while loop but then reads size_size and offset_size bytes via run_unpack_s64() without verifying they fit within the remaining buffer. A crafted NTFS image with truncated run data in an MFT attribute triggers an OOB heap read of up to 15 bytes when the filesystem is mounted. Add boundary checks before each run_unpack_s64() call to ensure the declared field size does not exceed the remaining buffer. Found by fuzzing with a source-patched harness (LibAFL + QEMU).
Title		ntfs3: add buffer boundary checks to run_unpack()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/41aadf5cb482793a24e05aa136224e179a778586 https://git.kernel.org/stable/c/b62567bca47408e6739dee75f02a2113548af875 https://git.kernel.org/stable/c/bf7ac4a1d3bfc6e56e54635c3d331a68170d37c9 https://git.kernel.org/stable/c/d3012690a7065d9ca86521a525ad11e8af491d45 https://git.kernel.org/stable/c/e64f7dfcaff79e7dfff9121a382dd77f9b462f62

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:58:00.299Z

Updated: 2026-05-27T12:58:00.299Z

Reserved: 2026-05-13T15:03:33.095Z

Link: CVE-2026-46072

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:28.503

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-46072

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T21:30:34Z

Weaknesses

CWE-126

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object