EUVD-2025-208821Lifecycle Timeline
4Description
In the Linux kernel, the following vulnerability has been resolved: fs: ntfs3: fix infinite loop triggered by zero-sized ATTR_LIST We found an infinite loop bug in the ntfs3 file system that can lead to a Denial-of-Service (DoS) condition. A malformed NTFS image can cause an infinite loop when an ATTR_LIST attribute indicates a zero data size while the driver allocates memory for it. When ntfs_load_attr_list() processes a resident ATTR_LIST with data_size set to zero, it still allocates memory because of al_aligned(0). This creates an inconsistent state where ni->attr_list.size is zero, but ni->attr_list.le is non-null. This causes ni_enum_attr_ex to incorrectly assume that no attribute list exists and enumerates only the primary MFT record. When it finds ATTR_LIST, the code reloads it and restarts the enumeration, repeating indefinitely. The mount operation never completes, hanging the kernel thread. This patch adds validation to ensure that data_size is non-zero before memory allocation. When a zero-sized ATTR_LIST is detected, the function returns -EINVAL, preventing a DoS vulnerability.
Analysis
A denial-of-service vulnerability exists in the Linux kernel's ntfs3 file system driver where a malformed NTFS image with a zero-sized ATTR_LIST attribute triggers an infinite loop during file system mount operations. The vulnerability affects Linux kernel versions across multiple stable branches (5.15, 6.1, 6.6, 6.12, 6.18, 6.19, and 7.0-rc1) and can cause the kernel to hang indefinitely, preventing normal system operation. An attacker can exploit this by providing a crafted NTFS image file that triggers the loop when mounted, requiring no special privileges and resulting in complete denial of service for affected systems.
Technical Context
The vulnerability resides in the ntfs3 file system implementation within the Linux kernel (cpe:2.3:a:linux:linux). Specifically, the ntfs_load_attr_list() function fails to validate that the data_size field of an ATTR_LIST attribute is non-zero before allocating memory via the al_aligned() macro. The ATTR_LIST is a critical NTFS metadata structure used to enumerate file attributes across multiple MFT (Master File Table) records. When data_size is zero, the function still allocates memory due to alignment calculations, creating an inconsistent internal state where ni->attr_list.size equals zero but ni->attr_list.le is non-null. This inconsistency causes the ni_enum_attr_ex() enumeration function to incorrectly conclude that no attribute list exists, leading it to enumerate only the primary MFT record. Upon discovering the ATTR_LIST during enumeration, the code reloads it and restarts the process, creating an infinite loop. The root cause is a failure to implement proper input validation before memory allocation, falling under CWE-835 (Loop with Unreachable Exit Condition) and related validation weaknesses.
Affected Products
Linux kernel versions prior to the security patches are affected across multiple stable branches, including Linux 5.15.202 and later 5.15.x, Linux 6.1.165 and later 6.1.x, Linux 6.6.128 and later 6.6.x, Linux 6.12.75 and later 6.12.x, Linux 6.18.16 and later 6.18.x, Linux 6.19.6 and later 6.19.x, and Linux 7.0-rc1 and later. The vulnerability is confirmed via CPE entry cpe:2.3:a:linux:linux. Systems running any kernel version containing the unpatched ntfs3 driver are affected. Fixes are available via kernel.org stable commits including 9267d99fade76d44d4a133599524031fe684156e, 976e6a7c51fabf150478decbe8ef5d9a26039b7c, 8d8c70b57dbeda3eb165c0940b97e85373ca9354, 7ef219656febf5ae06ae56b1fce47ebd05f92b68, 9779a6eaaabdf47aa57910d352b398ad742e6a5f, fd508939dbca5eceefb2d0c2564beb15469572f2, and 06909b2549d631a47fcda249d34be26f7ca1711d across their respective kernel branches.
Remediation
Immediately upgrade the Linux kernel to a patched version released after the fix commit dates for your respective stable branch: kernel 5.15.202 or later, 6.1.165 or later, 6.6.128 or later, 6.12.75 or later, 6.18.16 or later, 6.19.6 or later, or 7.0-rc1 and later. Distributions including Debian, Ubuntu, Red Hat, and others have released kernel security updates addressing this issue; check your distribution's security advisories. Until kernel upgrade is completed, restrict or disable NTFS file system mounting on systems processing untrusted media, enforce mount restrictions via AppArmor or SELinux policies to limit ntfs3 driver access, and disable ntfs3 kernel module loading via modprobe blacklist if NTFS support is not required. Monitor kernel logs for evidence of hangs or infinite loops triggered by NTFS mount attempts. See kernel.org stable commit references at https://git.kernel.org/stable for detailed patch information.
Priority Score
Vendor Status
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | not-affected | - | - |
| bullseye (security) | fixed | 5.10.251-1 | - |
| bookworm | vulnerable | 6.1.159-1 | - |
| bookworm (security) | vulnerable | 6.1.164-1 | - |
| trixie | vulnerable | 6.12.73-1 | - |
| trixie (security) | vulnerable | 6.12.74-2 | - |
| forky | fixed | 6.19.6-2 | - |
| sid | fixed | 6.19.8-1 | - |
| (unstable) | fixed | 6.19.6-1 | - |
Share
External POC / Exploit Code
Leaving vuln.today