HIGH
ntfs3 IndexEntry Overflow
CVE-2026-45935
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
KernelScan AI6.3MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Fix slab-out-of-bounds read in DeleteIndexEntryRoot In the 'DeleteIndexEntryRoot' case of the 'do_action' function, the entry size ('esize') is retrieved from the log record without adequate bounds checking. Specifically, the code calculates the end of the entry ('e2') using: e2 = Add2Ptr(e1, esize); It then calculates the size for memmove using 'PtrOffset(e2, ...)', which subtracts the end pointer from the buffer limit. If 'esize' is maliciously large, 'e2' exceeds the used buffer size. This results in a negative offset which, when cast to size_t for memmove, interprets as a massive unsigned integer, leading to a heap buffer overflow. This commit adds a check to ensure that the entry size ('esize') strictly fits within the remaining used space of the index header before performing memory operations.
02KernelScan AI Analysis
Risk summary
Systems that mount NTFS filesystems are vulnerable to heap buffer overflow through malicious journal entries. Attackers with filesystem mount privileges can trigger kernel memory corruption, potentially leading to privilege escalation or system crash. The vulnerability affects NTFS3 journal replay functionality introduced in Linux 5.15.
Vulnerability analysis
The vulnerability occurs in the NTFS3 journal replay code where entry size values from log records are used without bounds checking. When processing DeleteIndexEntryRoot operations, the code calculates memory operation sizes using unchecked esize values, allowing malicious filesystems to specify oversized entries that cause integer underflow in pointer arithmetic (PtrOffset computes negative value, cast to size_t becomes massive), resulting in massive memmove operations that corrupt kernel heap memory. The fix adds proper bounds validation before memory operations.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.15 | 5.15.202 | 36c03f7f177b |
| 6.1 | 6.1.165 | b271c9cb8592 |
| 6.12 | 6.12.75 | c065541b71b7 |
| 6.18 | 6.18.14 | 78942172d5bf |
| 6.19 | 6.19.4 | f3b437a4c3e0 |
| 6.6 | 6.6.128 | a584b9d1059b |
| mainline | 7.0 | b2bc7c44ed17 |