CVE-2025-71267

fs: ntfs3: fix infinite loop triggered by zero-sized ATTR_LIST

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: fs: ntfs3: fix infinite loop triggered by zero-sized ATTR_LIST We found an infinite loop bug in the ntfs3 file system that can lead to a
Denial-of-Service (DoS) condition. A malformed NTFS image can cause an infinite loop when an ATTR_LIST attribute
indicates a zero data size while the driver allocates memory for it. When ntfs_load_attr_list() processes a resident ATTR_LIST with data_size set
to zero, it still allocates memory because of al_aligned(0). This creates an
inconsistent state where ni->attr_list.size is zero, but ni->attr_list.le is
non-null. This causes ni_enum_attr_ex to incorrectly assume that no attribute
list exists and enumerates only the primary MFT record. When it finds
ATTR_LIST, the code reloads it and restarts the enumeration, repeating
indefinitely. The mount operation never completes, hanging the kernel thread. This patch adds validation to ensure that data_size is non-zero before memory
allocation. When a zero-sized ATTR_LIST is detected, the function returns
-EINVAL, preventing a DoS vulnerability.

En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta: fs: ntfs3: corrige bucle infinito provocado por ATTR_LIST de tamaño cero Se encontró un error de bucle infinito en el sistema de archivos ntfs3 que puede llevar a una condición de Denegación de Servicio (DoS). Una imagen NTFS malformada puede causar un bucle infinito cuando un atributo ATTR_LIST indica un tamaño de datos cero mientras el controlador asigna memoria para ello. Cuando ntfs_load_attr_list() procesa un ATTR_LIST residente con data_size establecido en cero, todavía asigna memoria debido a al_aligned(0). Esto crea un estado inconsistente donde ni->attr_list.size es cero, pero ni->attr_list.le no es nulo. Esto hace que ni_enum_attr_ex asuma incorrectamente que no existe ninguna lista de atributos y enumere solo el registro MFT primario. Cuando encuentra ATTR_LIST, el código lo recarga y reinicia la enumeración, repitiéndose indefinidamente. La operación de montaje nunca se completa, colgando el hilo del kernel. Este parche añade validación para asegurar que data_size no sea cero antes de la asignación de memoria. Cuando se detecta un ATTR_LIST de tamaño cero, la función devuelve -EINVAL, previniendo una vulnerabilidad de DoS.

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2026-03-17 CVE Reserved
2026-03-18 CVE Published
2026-04-19 EPSS Updated
2026-05-11 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (8)

URL	Tag	Source
https://git.kernel.org/stable/c/be71b5cba2e6485e8959da7a9f9a44461a1bb074	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/9267d99fade76d44d4a133599524031fe684156e	2026-03-04
https://git.kernel.org/stable/c/976e6a7c51fabf150478decbe8ef5d9a26039b7c	2026-03-04
https://git.kernel.org/stable/c/8d8c70b57dbeda3eb165c0940b97e85373ca9354	2026-03-04
https://git.kernel.org/stable/c/7ef219656febf5ae06ae56b1fce47ebd05f92b68	2026-03-04
https://git.kernel.org/stable/c/9779a6eaaabdf47aa57910d352b398ad742e6a5f	2026-03-04
https://git.kernel.org/stable/c/fd508939dbca5eceefb2d0c2564beb15469572f2	2026-03-04
https://git.kernel.org/stable/c/06909b2549d631a47fcda249d34be26f7ca1711d	2025-12-19

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15 < 5.15.202 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15 < 5.15.202"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15 < 6.1.165 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15 < 6.1.165"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15 < 6.6.128 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15 < 6.6.128"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15 < 6.12.75 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15 < 6.12.75"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15 < 6.18.16 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15 < 6.18.16"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15 < 6.19.6 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15 < 6.19.6"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15 < 7.0 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15 < 7.0"		en		Affected