CVE-2026-53023 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

fs/ntfs3: terminate the cached volume label after UTF-8 conversion

ntfs_fill_super() loads the on-disk volume label with utf16s_to_utf8s()
and stores the result in sbi->volume.label. The converted label is later
exposed through ntfs3_label_show() using %s, but utf16s_to_utf8s() only
returns the number of bytes written and does not add a trailing NUL.

If the converted label fills the entire fixed buffer,
ntfs3_label_show() can read past the end of sbi->volume.label while
looking for a terminator.

Terminate the cached label explicitly after a successful conversion and
clamp the exact-full case to the last byte of the buffer.

Published: 2026-06-24

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

In the Linux kernel, the ntfs3 driver converts the on‑disk NTFS volume label from UTF‑16 to UTF‑8, storing it in sbi->volume.label. The conversion routine does not append a terminating NUL, so when a label is exactly the size of the buffer, the display function ntfs3_label_show() can read past the end of the buffer while searching for a terminator. This out‑of‑bounds read can expose arbitrary kernel memory to the caller, potentially leaking sensitive data.

Affected Systems

All Linux kernel implementations containing the ntfs3 filesystem driver before the patch. Specific affected versions are not listed, so any kernel that has not yet incorporated the fix should be considered vulnerable.

Risk and Exploitability

The vulnerability does not allow code execution; it permits a local or privileged attacker to read beyond the boundary of the volume label buffer. The EPSS score is not available and the issue is not listed in CISA’s KEV catalog, suggesting that widespread exploitation is unlikely at present. Nevertheless, the ability to read kernel memory can aid in further privilege escalation or information gathering, making the risk significant for systems that mount NTFS partitions on untrusted media.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`82cae269cfa953032fbb8980a7d554d60fb00b17`	affected	< 32b0686369e0afbb3549a0d93e2d8517da84cd30
`82cae269cfa953032fbb8980a7d554d60fb00b17`	affected	< bc7a0c34c4ca259cfddf3bc18fc5b3c6411d26ed
`82cae269cfa953032fbb8980a7d554d60fb00b17`	affected	< 0b11fcbe80a59acdf58337d80ebb5f72201d73d6
`82cae269cfa953032fbb8980a7d554d60fb00b17`	affected	< 54d564b762389679e2f8fb9eeb20af7e82371e1c
`82cae269cfa953032fbb8980a7d554d60fb00b17`	affected	< 6136bbb054f7ab9f51ae99915541633b18bcef90
`82cae269cfa953032fbb8980a7d554d60fb00b17`	affected	< 5cd0707b81cb4589f00aec5c4c1288bd0980d2a4
`82cae269cfa953032fbb8980a7d554d60fb00b17`	affected	< a6cd43fe9b083fa23fe1595666d5738856cb261a

Linux

affected

Version	Status	Constraints
`5.15`	affected	—
`0`	unaffected	< 5.15
`5.15.209`	unaffected	≤ 5.15.*
`6.1.175`	unaffected	≤ 6.1.*
`6.6.141`	unaffected	≤ 6.6.*
`6.12.91`	unaffected	≤ 6.12.*
`6.18.33`	unaffected	≤ 6.18.*
`7.0.10`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the kernel to a version that includes the ntfs3 label null‑termination patch.
If upgrading immediately is not possible, unload the ntfs3 module or ensure it is not loaded on systems where NTFS partitions are not required.
When a patch delay is unavoidable, avoid mounting NTFS volumes with large volume labels or disable NTFS support in the kernel if it is not needed.

Generated by OpenCVE AI on June 24, 2026 at 18:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0b11fcbe80a59acdf58337d80ebb5f72201d73d6
https://git.kernel.org/stable/c/32b0686369e0afbb3549a0d93e2d8517da84cd30
https://git.kernel.org/stable/c/54d564b762389679e2f8fb9eeb20af7e82371e1c
https://git.kernel.org/stable/c/5cd0707b81cb4589f00aec5c4c1288bd0980d2a4
https://git.kernel.org/stable/c/6136bbb054f7ab9f51ae99915541633b18bcef90
https://git.kernel.org/stable/c/a6cd43fe9b083fa23fe1595666d5738856cb261a
https://git.kernel.org/stable/c/bc7a0c34c4ca259cfddf3bc18fc5b3c6411d26ed

History

Wed, 24 Jun 2026 19:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-125 CWE-20

Wed, 24 Jun 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: terminate the cached volume label after UTF-8 conversion ntfs_fill_super() loads the on-disk volume label with utf16s_to_utf8s() and stores the result in sbi->volume.label. The converted label is later exposed through ntfs3_label_show() using %s, but utf16s_to_utf8s() only returns the number of bytes written and does not add a trailing NUL. If the converted label fills the entire fixed buffer, ntfs3_label_show() can read past the end of sbi->volume.label while looking for a terminator. Terminate the cached label explicitly after a successful conversion and clamp the exact-full case to the last byte of the buffer.
Title		fs/ntfs3: terminate the cached volume label after UTF-8 conversion
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0b11fcbe80a59acdf58337d80ebb5f72201d73d6 https://git.kernel.org/stable/c/32b0686369e0afbb3549a0d93e2d8517da84cd30 https://git.kernel.org/stable/c/54d564b762389679e2f8fb9eeb20af7e82371e1c https://git.kernel.org/stable/c/5cd0707b81cb4589f00aec5c4c1288bd0980d2a4 https://git.kernel.org/stable/c/6136bbb054f7ab9f51ae99915541633b18bcef90 https://git.kernel.org/stable/c/a6cd43fe9b083fa23fe1595666d5738856cb261a https://git.kernel.org/stable/c/bc7a0c34c4ca259cfddf3bc18fc5b3c6411d26ed

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-24T16:29:32.440Z

Updated: 2026-06-24T16:29:32.440Z

Reserved: 2026-06-09T07:44:35.379Z

Link: CVE-2026-53023

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-24T19:00:06Z

Weaknesses

CWE-125
Out-of-bounds Read
CWE-20
Improper Input Validation

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object