Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Local filesystem mount access required (AV:L, PR:L); no confirmed confidentiality or integrity impact; kernel OOB read drives A:H with unchanged scope.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
fs/ntfs3: terminate the cached volume label after UTF-8 conversion
ntfs_fill_super() loads the on-disk volume label with utf16s_to_utf8s() and stores the result in sbi->volume.label. The converted label is later exposed through ntfs3_label_show() using %s, but utf16s_to_utf8s() only returns the number of bytes written and does not add a trailing NUL.
If the converted label fills the entire fixed buffer, ntfs3_label_show() can read past the end of sbi->volume.label while looking for a terminator.
Terminate the cached label explicitly after a successful conversion and clamp the exact-full case to the last byte of the buffer.
AnalysisAI
Missing NUL termination in the Linux kernel's ntfs3 filesystem driver allows a local attacker with filesystem mount privileges to trigger an out-of-bounds memory read, crashing the kernel. The defect in ntfs_fill_super() leaves sbi->volume.label unterminated when a UTF-16 volume label converts to a UTF-8 string that exactly fills the fixed buffer, causing ntfs3_label_show() to read past the buffer boundary via a %s format specifier. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local access to the target system and the ability to mount an NTFS filesystem, either through direct mount privileges or via auto-mounting daemons (udisks2/polkit) common on desktop Linux distributions. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is low-to-moderate despite the CVSS availability rating of High. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user with filesystem mount privileges - for example, via polkit or udisks2 on a desktop Linux system - crafts a malicious NTFS disk image whose volume label, after UTF-16 to UTF-8 conversion, exactly fills the kernel's fixed-size label buffer without leaving space for a NUL terminator. Upon mounting this image, ntfs_fill_super() stores the unterminated string; when any process subsequently reads the sysfs label attribute (e.g., /sys/fs/ntfs3/<device>/label), ntfs3_label_show() reads beyond the buffer boundary, potentially triggering a kernel panic and system crash. … |
| Remediation | The primary fix is to upgrade to a patched kernel version for your stable branch: 5.15.209, 6.1.175, 6.6.141, 6.12.91, 6.18.33, or 7.0.10. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38891
GHSA-fw3c-7wwh-rhhf