Description
In the Linux kernel, the following vulnerability has been resolved:

fs/ntfs3: terminate the cached volume label after UTF-8 conversion

ntfs_fill_super() loads the on-disk volume label with utf16s_to_utf8s()
and stores the result in sbi->volume.label. The converted label is later
exposed through ntfs3_label_show() using %s, but utf16s_to_utf8s() only
returns the number of bytes written and does not add a trailing NUL.

If the converted label fills the entire fixed buffer,
ntfs3_label_show() can read past the end of sbi->volume.label while
looking for a terminator.

Terminate the cached label explicitly after a successful conversion and
clamp the exact-full case to the last byte of the buffer.
Published: 2026-06-24
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel’s ntfs3 driver converts an on‑disk NTFS volume label from UTF‑16 to UTF‑8 but does not append a terminating NUL character. When the converted string exactly fills the fixed buffer, the display routine searches past the buffer’s end for a terminator, resulting in an out‑of‑bounds read that can expose kernel memory. This weakness aligns with CWE‑170.

Affected Systems

All Linux kernels that include the ntfs3 filesystem driver without the NULL‑termination patch, regardless of distribution or custom compilation. The CVE data does not specify a version range, so any deployment shipping the unpatched driver is potentially vulnerable.

Risk and Exploitability

The EPSS score is below 1 %, and the vulnerability is not listed in CISA’s KEV catalog, indicating a low likelihood of exploitation at present. It is inferred that an attacker would need local access to the host and the ability to invoke the ntfs3_label_show function, typically by mounting or interrogating NTFS partitions. If successful, the read can leak sensitive kernel memory, which could aid further attacks. The overall risk remains high for systems that mount NTFS volumes or accept untrusted media.

Generated by OpenCVE AI on June 27, 2026 at 05:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to a version that includes the ntfs3 NULL‑termination patch.
  • If upgrading cannot be performed immediately, unload the ntfs3 module or ensure it is not loaded on systems that do not require NTFS support.
  • Avoid mounting NTFS volumes with volume labels that exactly fill the conversion buffer, or disable NTFS support entirely if the filesystem is not needed.

Generated by OpenCVE AI on June 27, 2026 at 05:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Sat, 27 Jun 2026 04:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
CWE-20

Sat, 27 Jun 2026 00:15:00 +0000


Wed, 24 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
CWE-20

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: terminate the cached volume label after UTF-8 conversion ntfs_fill_super() loads the on-disk volume label with utf16s_to_utf8s() and stores the result in sbi->volume.label. The converted label is later exposed through ntfs3_label_show() using %s, but utf16s_to_utf8s() only returns the number of bytes written and does not add a trailing NUL. If the converted label fills the entire fixed buffer, ntfs3_label_show() can read past the end of sbi->volume.label while looking for a terminator. Terminate the cached label explicitly after a successful conversion and clamp the exact-full case to the last byte of the buffer.
Title fs/ntfs3: terminate the cached volume label after UTF-8 conversion
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:29:32.440Z

Reserved: 2026-06-09T07:44:35.379Z

Link: CVE-2026-53023

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity :

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-53023 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-27T05:30:11Z

Weaknesses
  • CWE-170

    Improper Null Termination