HIGH Published 2026-05-01

ntfs3 Journal Record Overflow

CVE-2026-31716

CVSS 7.8 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

KernelScan AI7.8HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: validate rec->used in journal-replay file record check check_file_record() validates rec->total against the record size but never validates rec->used. The do_action() journal-replay handlers read rec->used from disk and use it to compute memmove lengths: DeleteAttribute: memmove(attr, ..., used - asize - roff) CreateAttribute: memmove(..., attr, used - roff) change_attr_size: memmove(..., used - PtrOffset(rec, next)) When rec->used is smaller than the offset of a validated attribute, or larger than the record size, these subtractions can underflow allowing us to copy huge amounts of memory in to a 4kb buffer, generally considered a bad idea overall. This requires a corrupted filesystem, which isn't a threat model the kernel really needs to worry about, but checking for such an obvious out-of-bounds value is good to keep things robust, especially on journal replay Fix this up by bounding rec->used correctly. This is much like commit b2bc7c44ed17 ("fs/ntfs3: Fix slab-out-of-bounds read in DeleteIndexEntryRoot") which checked different values in this same switch statement.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

A buffer overflow vulnerability in NTFS3 filesystem journal replay can be triggered by mounting a corrupted NTFS filesystem. While this requires filesystem corruption (not typically a kernel threat model), it could potentially lead to memory corruption and system compromise if an attacker can control the corrupted filesystem data.

Affectedfs/ntfs3/fslog.c

Vulnerability analysis

Root Cause: The check_file_record() function in NTFS3 journal replay validates rec->total against the record size but fails to validate rec->used. During journal replay, the do_action() handlers use rec->used to compute memmove() lengths without bounds checking. When rec->used is smaller than attribute offsets or larger than the record size, integer underflow occurs in calculations like 'used - asize - roff', resulting in extremely large copy lengths that can overflow a 4KB buffer.

Attack Surface: This vulnerability requires a corrupted NTFS filesystem to trigger. It affects systems that mount NTFS filesystems, particularly during journal replay operations. The attack surface is local and requires the ability to present a malformed NTFS filesystem to the kernel, either through physical media access or filesystem image manipulation.

Fix Mechanism: The patch adds validation to ensure rec->used is within valid bounds: (1) rec->used must not exceed the record size (rs), (2) rec->used must be at least as large as the attribute offset (ao), and (3) rec->used must cover the current attribute position plus the size of the attribute type field. This prevents integer underflow in subsequent memmove() operations during journal replay.

03Fix Versions

Branch	Fixed in	Patch commit
5.15	5.15.209	`8e64d33198b5`
6.1	6.1.175	`1393a467a960`
6.12	6.12.84	`4b1613d7e2de`
6.18	6.18.25	`0112e6279420`
6.6	6.6.136	`f90b8a1798b7`
7.0	7.0.2	`f79d0403ea20`
mainline	7.1-rc1	`0ca0485e4b2e`