Skip to main content

Linux Kernel CVE-2025-71289

| EUVDEUVD-2025-209678 MEDIUM
2026-05-06 Linux GHSA-jr63-v3pm-7xvj
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 08, 2026 - 11:43 vuln.today
CVSS changed
May 13, 2026 - 21:22 NVD
5.5 (MEDIUM)
Patch available
May 06, 2026 - 13:02 EUVD
CVE Published
May 06, 2026 - 11:32 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

fs/ntfs3: handle attr_set_size() errors when truncating files

If attr_set_size() fails while truncating down, the error is silently ignored and the inode may be left in an inconsistent state.

AnalysisAI

Silent error suppression in the Linux kernel's NTFS3 filesystem driver allows a local authenticated user to trigger inode inconsistency by causing attr_set_size() to fail during file truncation. Affected systems running NTFS3-mounted volumes may experience filesystem corruption or denial of service without any visible error signal to the kernel. No active exploitation has been identified (EPSS 0.02%, not in CISA KEV), and vendor-released patches are available in Linux 7.0 and 6.19.6.

Technical ContextAI

The NTFS3 driver (fs/ntfs3) is the native in-kernel NTFS read-write filesystem implementation introduced in Linux 5.15, distinct from the older NTFS driver. The vulnerability resides in the truncation code path: when attr_set_size() - responsible for resizing on-disk attribute data - returns an error, the caller discards the return value rather than propagating it. This leaves the in-memory inode in a state that diverges from the on-disk structure, a pattern consistent with CWE-252 (Unchecked Return Value), though no formal CWE is assigned per input data. The CPE string (cpe:2.3:a:linux:linux) spans all architectures where NTFS3 is compiled in or loaded as a module. The affected commit range begins at the NTFS3 merge commit (1da177e4c3f41524e886b7f1b8a0c1fc7321cac2), covering multiple kernel stable branches until the respective backport fixes landed.

RemediationAI

The primary fix is to upgrade to Linux kernel 7.0 or 6.19.6, which contain the corrected error-propagation logic in fs/ntfs3. Stable-tree patches are available at https://git.kernel.org/stable/c/576248a34b927e93b2fd3fff7df735ba73ad7d01 and https://git.kernel.org/stable/c/6dfea43d11513b7f2892529de55e8f0855108a2c; additional related commits appear at https://git.kernel.org/stable/c/3a718675d6af4992e34ffe86b8f36d471a5afe0e and https://git.kernel.org/stable/c/d73dcd1520d65a34420761641a36b951b14c8c53. If immediate kernel upgrade is not feasible on systems that do not require NTFS3 access, the compensating control is to unload or blacklist the ntfs3 kernel module (add 'blacklist ntfs3' to /etc/modprobe.d/), preventing the vulnerable code path from being reachable entirely - note this will render NTFS3 volumes inaccessible until the module is re-enabled post-patch. Distribution-maintained kernels (RHEL, Debian, Ubuntu, SUSE) may ship backported fixes; check vendor security channels before building from upstream.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2025-71289 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy