Description
In the Linux kernel, the following vulnerability has been resolved:

fs/ntfs3: fix missing run load for vcn0 in attr_data_get_block_locked()

When a compressed or sparse attribute has its clusters frame-aligned,
vcn is rounded down to the frame start using cmask, which can result
in vcn != vcn0. In this case, vcn and vcn0 may reside in different
attribute segments.

The code already handles the case where vcn is in a different segment
by loading its runs before allocation. However, it fails to load runs
for vcn0 when vcn0 resides in a different segment than vcn. This causes
run_lookup_entry() to return SPARSE_LCN for vcn0 since its segment was
never loaded into the in-memory run list, triggering the WARN_ON(1).

Fix this by adding a missing check for vcn0 after the existing vcn
segment check. If vcn0 falls outside the current segment range
[svcn, evcn1), find and load the attribute segment containing vcn0
before performing the run lookup.

The following scenario triggers the bug:
attr_data_get_block_locked()
vcn = vcn0 & cmask <- vcn != vcn0 after frame alignment
load runs for vcn segment <- vcn0 segment not loaded!
attr_allocate_clusters() <- allocation succeeds
run_lookup_entry(vcn0) <- vcn0 not in run -> SPARSE_LCN
WARN_ON(1) <- bug fires here!
Published: 2026-06-24
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Linux kernel's NTFS3 file system subsystem. A missing run load for the first VCN in the attr_data_get_block_locked() function allows the run lookup for the base block to fail, producing a WARN_ON(1) that can lead to an Oops and kernel panic. The lack of proper run initialization can therefore induce a denial‑of‑service condition on affected systems.

Affected Systems

All Linux kernels that include the ntfs3 module before the patch commit are affected. The fix was applied in commit 2b4ae1c and d7ea8495, so any distribution shipping a kernel prior to those commits contends with this defect. The issue is limited to systems that mount or otherwise access NTFS volumes using the kernel NTFS3 driver.

Risk and Exploitability

The CVSS score is not publicly listed, and the EPSS value is unknown at this time, indicating no reported exploitation activity. The kernel warning can be triggered by a file system operation that accesses a compressed or sparse attribute whose first cluster does not align with the frame start. An attacker with local privileges or an adversary who can force the kernel to read a crafted NTFS volume could exploit the bug, though no remote code execution is evident. The lack of KEV listing suggests low to moderate priority for threat actors; nevertheless, the potential for a system crash warrants prompt attention.

Generated by OpenCVE AI on June 24, 2026 at 18:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes commit 2b4ae1c or d7ea8495 which resolves the missing run load.
  • Reboot the system to load the updated kernel image.
  • Verify that no WARN_ON(1) messages referencing attr_data_get_block_locked() appear in kernel logs after reboot.

Generated by OpenCVE AI on June 24, 2026 at 18:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-665

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: fix missing run load for vcn0 in attr_data_get_block_locked() When a compressed or sparse attribute has its clusters frame-aligned, vcn is rounded down to the frame start using cmask, which can result in vcn != vcn0. In this case, vcn and vcn0 may reside in different attribute segments. The code already handles the case where vcn is in a different segment by loading its runs before allocation. However, it fails to load runs for vcn0 when vcn0 resides in a different segment than vcn. This causes run_lookup_entry() to return SPARSE_LCN for vcn0 since its segment was never loaded into the in-memory run list, triggering the WARN_ON(1). Fix this by adding a missing check for vcn0 after the existing vcn segment check. If vcn0 falls outside the current segment range [svcn, evcn1), find and load the attribute segment containing vcn0 before performing the run lookup. The following scenario triggers the bug: attr_data_get_block_locked() vcn = vcn0 & cmask <- vcn != vcn0 after frame alignment load runs for vcn segment <- vcn0 segment not loaded! attr_allocate_clusters() <- allocation succeeds run_lookup_entry(vcn0) <- vcn0 not in run -> SPARSE_LCN WARN_ON(1) <- bug fires here!
Title fs/ntfs3: fix missing run load for vcn0 in attr_data_get_block_locked()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:29:35.740Z

Reserved: 2026-06-09T07:44:35.379Z

Link: CVE-2026-53027

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T19:00:06Z

Weaknesses