Skip to main content

Linux Kernel CVE-2026-46072

| EUVDEUVD-2026-32454 MEDIUM
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-h65x-x69q-35px
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local mount required (AV:L); unprivileged local account sufficient (PR:L); kernel crash gives full availability loss (A:H) with no confirmed confidentiality or integrity impact.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 24, 2026 - 17:10 vuln.today
CVSS changed
Jun 24, 2026 - 17:07 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

ntfs3: add buffer boundary checks to run_unpack()

run_unpack() checks run_buf < run_last at the top of the while loop but then reads size_size and offset_size bytes via run_unpack_s64() without verifying they fit within the remaining buffer. A crafted NTFS image with truncated run data in an MFT attribute triggers an OOB heap read of up to 15 bytes when the filesystem is mounted.

Add boundary checks before each run_unpack_s64() call to ensure the declared field size does not exceed the remaining buffer.

Found by fuzzing with a source-patched harness (LibAFL + QEMU).

AnalysisAI

Out-of-bounds heap read in the Linux kernel ntfs3 driver's run_unpack() function allows a local user to crash the kernel by mounting a crafted NTFS image. The flaw affects multiple stable kernel branches from 5.15 onward, where run list parsing in MFT attributes consumes up to 15 bytes beyond the valid buffer boundary without checking remaining buffer size. No public exploit code exists and EPSS sits at 0.02% (5th percentile), but the local denial-of-service impact is A:H and patches are available across all affected stable branches.

Technical ContextAI

The ntfs3 filesystem driver, introduced in Linux 5.15 as the in-kernel NTFS implementation, decodes filesystem extents via 'run lists' - variable-length encoded structures stored in MFT (Master File Table) attribute records. The vulnerable function run_unpack() iterates over a run buffer bounded by run_buf and run_last, but delegates multi-byte integer decoding to run_unpack_s64() without first verifying that the declared field sizes (size_size and offset_size) fit within the remaining buffer. A crafted NTFS image with truncated run data exploits this gap, triggering an OOB heap read of up to 15 bytes. The affected CPE is cpe:2.3:o:linux:linux_kernel:* across multiple stable branches starting from commit 82cae269cfa953032fbb8980a7d554d60fb00b17. No CWE is formally assigned in the NVD record, but this maps to CWE-125 (Out-of-bounds Read). The vulnerability was discovered via LibAFL + QEMU fuzzing with a source-patched harness, indicating it is reliably reproducible under fuzzing conditions.

RemediationAI

Upgrade to a patched kernel version: 6.6.140, 6.12.86, 6.18.27, or 7.0.4 (stable releases); 7.1-rc1 or later for mainline. Individual fix commits per stable branch are available at https://git.kernel.org/stable/c/41aadf5cb482793a24e05aa136224e179a778586, https://git.kernel.org/stable/c/b62567bca47408e6739dee75f02a2113548af875, https://git.kernel.org/stable/c/bf7ac4a1d3bfc6e56e54635c3d331a68170d37c9, https://git.kernel.org/stable/c/d3012690a7065d9ca86521a525ad11e8af491d45, and https://git.kernel.org/stable/c/e64f7dfcaff79e7dfff9121a382dd77f9b462f62. Where immediate patching is not feasible, blacklist the ntfs3 kernel module by adding 'blacklist ntfs3' to /etc/modprobe.d/blacklist-ntfs3.conf and running 'update-initramfs -u' - this prevents ntfs3 from loading on next boot; note that ntfs-3g (FUSE-based) remains unaffected and can substitute for NTFS access with no functional loss. Additionally, restrict user namespace-based mounting via 'sysctl -w user.max_user_namespaces=0' on systems that do not require user namespaces, as this closes a common unprivileged mount pathway.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

CVE-2026-46072 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy