Skip to main content

Linux Kernel CVE-2025-71312

| EUVDEUVD-2025-209966 MEDIUM
Memory Leak (CWE-401)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-w58m-8mj8-hh8w
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local mount privilege required to reach NTFS3 path; no confidentiality or integrity impact from a kernel heap leak; sustained availability degradation justifies A:H.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
3.3 LOW
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 25, 2026 - 21:10 vuln.today
CVSS changed
Jun 25, 2026 - 21:07 NVD
5.5 (MEDIUM)
CVE Published
May 27, 2026 - 14:16 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:16 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

fs/ntfs3: fix ntfs_mount_options leak in ntfs_fill_super()

In ntfs_fill_super(), the fc->fs_private pointer is set to NULL without first freeing the memory it points to. This causes the subsequent call to ntfs_fs_free() to skip freeing the ntfs_mount_options structure.

This results in a kmemleak report:

unreferenced object 0xff1100015378b800 (size 32): comm "mount", pid 582, jiffies 4294890685 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 ed ff ed ff 00 04 00 00 ................ backtrace (crc ed541d8c): __kmalloc_cache_noprof+0x424/0x5a0 __ntfs_init_fs_context+0x47/0x590 alloc_fs_context+0x5d8/0x960 __x64_sys_fsopen+0xb1/0x190 do_syscall_64+0x50/0x1f0 entry_SYSCALL_64_after_hwframe+0x76/0x7e

This issue can be reproduced using the following commands: fallocate -l 100M test.file mount test.file /tmp/test

Since sbi->options is duplicated from fc->fs_private and does not directly use the memory allocated for fs_private, it is unnecessary to set fc->fs_private to NULL.

Additionally, this patch simplifies the code by utilizing the helper function put_mount_options() instead of open-coding the cleanup logic.

AnalysisAI

Memory leak in the Linux kernel NTFS3 driver's ntfs_fill_super() function allows a local user with mount privileges to gradually exhaust kernel memory by repeatedly mounting NTFS filesystems. The ntfs_mount_options structure (32 bytes per mount) is permanently leaked because fc->fs_private is nulled before ntfs_fs_free() can release it, confirmed by kmemleak tooling. No active exploitation has been identified - EPSS is 0.02% (5th percentile) and this vulnerability is absent from CISA KEV - making it a maintenance-class fix rather than an urgent security priority, though the availability impact is rated High by CVSS.

Technical ContextAI

The vulnerability resides in fs/ntfs3, the in-kernel NTFS3 driver introduced in Linux 5.15. During the mount path invoked via fsopen()/fsmount() syscalls, ntfs_fill_super() is responsible for initializing the superblock. The ntfs_mount_options structure is allocated in __ntfs_init_fs_context() and stored in fc->fs_private. The defect (CWE-401: Missing Release of Memory after Effective Lifetime) occurs because ntfs_fill_super() sets fc->fs_private = NULL before the cleanup callback ntfs_fs_free() executes, causing the cleanup to skip the free since the pointer is gone. The sbi->options field is a copy of fc->fs_private, not the allocation itself, so nulling fc->fs_private serves no protective purpose and only orphans the memory. The fix removes the spurious NULL assignment and standardizes cleanup through the put_mount_options() helper. Affected CPE: cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*, in the commit range from aee4d5a521e9 to dac871d833b0 / f7edab0cee03 across stable branches.

RemediationAI

Upgrade to Linux kernel 6.19.4 or Linux 7.0 (or later), which incorporate the fix commits at https://git.kernel.org/stable/c/dac871d833b09495198dcac81d2ebaa8db11acbc and https://git.kernel.org/stable/c/f7edab0cee03a1cbe0e55a7bcab8d2d8b6b74278. Enterprise distributions (RHEL, Ubuntu, Debian, SUSE) may backport this fix into their own kernel packages independently of upstream version numbers - consult distribution-specific security errata rather than relying solely on upstream version numbers. If immediate patching is not feasible, restrict NTFS3 mount access by blacklisting the ntfs3 kernel module via kernel command line parameter modprobe.blacklist=ntfs3 or by adding 'install ntfs3 /bin/false' to /etc/modprobe.d/; note this will prevent mounting of NTFS filesystems entirely, which may impact removable media or dual-boot workflows. Alternatively, restrict mount namespace capabilities using seccomp or LSM policies to limit which processes can invoke fsopen() with the ntfs3 filesystem type.

Vendor StatusVendor

SUSE

Severity: Low
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected

Share

CVE-2025-71312 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy