CVE-2026-53029 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

fs/ntfs3: prevent uninitialized lcn caused by zero len

syzbot reported a uninit-value in ntfs_iomap_begin [1].

Since runs was not touched yet, run_lookup_entry() immediately fails
and returns false, which makes the value of "*len" 0.
Simultaneously, the new value and err value are also 0, causing the
logic in attr_data_get_block_locked() to jump directly to ok, ultimately
resulting in *lcn being triggered before it is set [1].

In ntfs_iomap_begin(), the check for a 0 value in clen is moved forward
to before updating lcn to avoid this [1].

[1]
BUG: KMSAN: uninit-value in ntfs_iomap_begin+0x8c0/0x1460 fs/ntfs3/inode.c:825
ntfs_iomap_begin+0x8c0/0x1460 fs/ntfs3/inode.c:825
iomap_iter+0x9b7/0x1540 fs/iomap/iter.c:110

Local variable lcn created at:
ntfs_iomap_begin+0x15d/0x1460 fs/ntfs3/inode.c:786

Published: 2026-06-24

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel’s NTFS3 driver contained logic that allowed a local variable, the logical cluster number (lcn), to be used before it was initialized. The bug caused the filesystem mapping routine to jump to success paths with an uninitialized value, potentially corrupting kernel memory or causing an Oops. This flaw is a classic use‑of‑uninitialized‑variable error that could lead to a kernel crash or unpredictable behaviour, resulting in a denial of service on the affected system.

Affected Systems

The vulnerability is present in the generic Linux kernel implementation wherever the NTFS3 filesystem code is compiled. No specific version range was supplied in the CVE entry, so any kernel build that includes the unpatched ntfs_iomap_begin routine is potentially affected.

Risk and Exploitability

Because the flaw requires the kernel to process NTFS filesystem requests, it is typically limited to environments where an NTFS volume is mounted or accessed locally. The entry does not provide a CVSS score or EPSS value, and it is not listed in the CISA KEV catalog, suggesting the exploitation likelihood is relatively low but not zero. An attacker with the ability to influence filesystem activity or to trigger the uninitialized variable can force a kernel crash, giving them a downgrade of system availability. No known public exploit exists at the time of this analysis.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`10d7c95af043b45a85dc738c3271bf760ff3577e`	affected	< 485f750cac3d8bdf5552a0e3d79ce5e3a03ece49
`10d7c95af043b45a85dc738c3271bf760ff3577e`	affected	< e98266e823a1fa06fe6499df61aeaac2fd6f7a49

Linux

affected

Version	Status	Constraints
`7.0`	affected	—
`0`	unaffected	< 7.0
`7.0.10`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a release that includes the ntfs_iomap_begin fix commit (e.g., the latest stable or long‑term support kernel series).
Enable automatic kernel security updates and regularly review distribution security advisories to ensure timely patching of NTFS3‑related fixes.
If a kernel upgrade cannot be applied immediately, restrict or avoid mounting NTFS filesystems on the affected hosts and monitor kernel logs for KMSAN or oops entries related to ntfs3.

Generated by OpenCVE AI on June 24, 2026 at 19:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/485f750cac3d8bdf5552a0e3d79ce5e3a03ece49
https://git.kernel.org/stable/c/e98266e823a1fa06fe6499df61aeaac2fd6f7a49

History

Wed, 24 Jun 2026 20:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-758

Wed, 24 Jun 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: prevent uninitialized lcn caused by zero len syzbot reported a uninit-value in ntfs_iomap_begin [1]. Since runs was not touched yet, run_lookup_entry() immediately fails and returns false, which makes the value of "len" 0. Simultaneously, the new value and err value are also 0, causing the logic in attr_data_get_block_locked() to jump directly to ok, ultimately resulting in lcn being triggered before it is set [1]. In ntfs_iomap_begin(), the check for a 0 value in clen is moved forward to before updating lcn to avoid this [1]. [1] BUG: KMSAN: uninit-value in ntfs_iomap_begin+0x8c0/0x1460 fs/ntfs3/inode.c:825 ntfs_iomap_begin+0x8c0/0x1460 fs/ntfs3/inode.c:825 iomap_iter+0x9b7/0x1540 fs/iomap/iter.c:110 Local variable lcn created at: ntfs_iomap_begin+0x15d/0x1460 fs/ntfs3/inode.c:786
Title		fs/ntfs3: prevent uninitialized lcn caused by zero len
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/485f750cac3d8bdf5552a0e3d79ce5e3a03ece49 https://git.kernel.org/stable/c/e98266e823a1fa06fe6499df61aeaac2fd6f7a49

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-24T16:29:37.361Z

Updated: 2026-06-24T16:29:37.361Z

Reserved: 2026-06-09T07:44:35.380Z

Link: CVE-2026-53029

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-24T19:45:05Z

Weaknesses

CWE-758
Reliance on Undefined, Unspecified, or Implementation-Defined Behavior

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object