EUVD-2025-208818Lifecycle Timeline
4Description
In the Linux kernel, the following vulnerability has been resolved: fs: ntfs3: fix infinite loop in attr_load_runs_range on inconsistent metadata We found an infinite loop bug in the ntfs3 file system that can lead to a Denial-of-Service (DoS) condition. A malformed NTFS image can cause an infinite loop when an attribute header indicates an empty run list, while directory entries reference it as containing actual data. In NTFS, setting evcn=-1 with svcn=0 is a valid way to represent an empty run list, and run_unpack() correctly handles this by checking if evcn + 1 equals svcn and returning early without parsing any run data. However, this creates a problem when there is metadata inconsistency, where the attribute header claims to be empty (evcn=-1) but the caller expects to read actual data. When run_unpack() immediately returns success upon seeing this condition, it leaves the runs_tree uninitialized with run->runs as a NULL. The calling function attr_load_runs_range() assumes that a successful return means that the runs were loaded and sets clen to 0, expecting the next run_lookup_entry() call to succeed. Because runs_tree remains uninitialized, run_lookup_entry() continues to fail, and the loop increments vcn by zero (vcn += 0), leading to an infinite loop. This patch adds a retry counter to detect when run_lookup_entry() fails consecutively after attr_load_runs_vcn(). If the run is still not found on the second attempt, it indicates corrupted metadata and returns -EINVAL, preventing the Denial-of-Service (DoS) vulnerability.
Analysis
An infinite loop vulnerability exists in the Linux kernel's NTFS3 file system implementation within the attr_load_runs_range() function, triggered by inconsistent metadata where an attribute header claims to be empty (evcn=-1) while directory entries reference it as containing actual data. This vulnerability affects Linux kernel versions across multiple stable branches (5.15, 6.1, 6.6, 6.12, 6.18, 6.19, and 7.0-rc1) and can be exploited by an attacker mounting a malformed NTFS image to cause a Denial-of-Service condition by inducing infinite CPU consumption in kernel space.
Technical Context
The vulnerability resides in the NTFS3 file system driver (Linux kernel component cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*) in the attribute run list parsing logic. NTFS uses run lists to represent sparse data allocation, and setting evcn=-1 with svcn=0 is a valid representation for empty run lists. The run_unpack() function correctly detects this condition and returns early without initializing the runs_tree structure. However, attr_load_runs_range() incorrectly assumes a successful return indicates populated runs and sets clen to 0. When run_lookup_entry() subsequently fails to find entries in the uninitialized runs_tree, the loop variable vcn is incremented by zero (vcn += 0), creating an infinite loop condition. The root cause is a lack of validation for metadata consistency between the attribute header state and the expected data presence, which falls under CWE-835 (Loop with Unreachable Exit Condition). The fix implements a retry counter to detect consecutive run_lookup_entry() failures and return -EINVAL to signal corrupted metadata.
Affected Products
The Linux kernel is affected across multiple stable versions as tracked by ENISA EUVD-2025-208818, specifically versions 5.15 prior to 5.15.202, 6.1 prior to 6.1.165, 6.6 prior to 6.6.128, 6.12 prior to 6.12.75, 6.18 prior to 6.18.16, 6.19 prior to 6.19.6, and development versions through 7.0-rc1. The CPE designator cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:* applies. The vulnerability is specific to systems with NTFS3 file system support compiled into or loaded as a kernel module. Kernel commit hashes af839013c70a24779f9d1afb1575952009312d38, a89bc96d5abd8a4a8d5d911884ea347efcdf460b, 6f07a590616ff5f57f7c041d98e463fad9e9f763, 78b61f7eac37a63284774b147f38dd0be6cad43c, c0b43c45d45f59e7faad48675a50231a210c379b, 3c3a6e951b9b53dab2ac460a655313cf04c4a10a, and 4b90f16e4bb5607fb35e7802eb67874038da4640 document the patch across stable branches. See https://git.kernel.org/stable/ for detailed fix information.
Remediation
Upgrade the Linux kernel to patched versions: 5.15.202 or later, 6.1.165 or later, 6.6.128 or later, 6.12.75 or later, 6.18.16 or later, 6.19.6 or later, or 7.0-rc1 or later depending on your current kernel branch. Consult your Linux distribution's security advisories and kernel update channels (e.g., Ubuntu Security Notices, Red Hat Security Advisories, etc.) for official patched kernel packages. Until patching is feasible, mitigate risk by disabling NTFS3 file system support if not required (remove CONFIG_NTFS3 from kernel configuration or blacklist ntfs3 module), restricting mount permissions to trusted administrators only via sudo/polkit policies, and implementing strict mount restrictions at the container or hypervisor level for multi-tenant environments. Systems that cannot mount untrusted NTFS images face minimal additional risk from this vulnerability.
Priority Score
Vendor Status
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | not-affected | - | - |
| bullseye (security) | fixed | 5.10.251-1 | - |
| bookworm | vulnerable | 6.1.159-1 | - |
| bookworm (security) | vulnerable | 6.1.164-1 | - |
| trixie | vulnerable | 6.12.73-1 | - |
| trixie (security) | vulnerable | 6.12.74-2 | - |
| forky | fixed | 6.19.6-2 | - |
| sid | fixed | 6.19.8-1 | - |
| (unstable) | fixed | 6.19.6-1 | - |
Share
External POC / Exploit Code
Leaving vuln.today