Skip to main content

Linux Kernel NTFS3 CVE-2026-53027

| EUVDEUVD-2026-38895 MEDIUM
2026-06-24 Linux GHSA-mcqq-386f-gvf4
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local access and low privileges required to mount and access an NTFS volume; no confidentiality or integrity impact; availability impact via kernel WARN_ON is high.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 15, 2026 - 17:01 vuln.today
CVSS changed
Jul 15, 2026 - 14:52 NVD
5.5 (MEDIUM)
Patch available
Jun 24, 2026 - 18:02 EUVD
CVE Published
Jun 24, 2026 - 16:29 nvd
MEDIUM 5.5
CVE Published
Jun 24, 2026 - 16:29 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

fs/ntfs3: fix missing run load for vcn0 in attr_data_get_block_locked()

When a compressed or sparse attribute has its clusters frame-aligned, vcn is rounded down to the frame start using cmask, which can result in vcn != vcn0. In this case, vcn and vcn0 may reside in different attribute segments.

The code already handles the case where vcn is in a different segment by loading its runs before allocation. However, it fails to load runs for vcn0 when vcn0 resides in a different segment than vcn. This causes run_lookup_entry() to return SPARSE_LCN for vcn0 since its segment was never loaded into the in-memory run list, triggering the WARN_ON(1).

Fix this by adding a missing check for vcn0 after the existing vcn segment check. If vcn0 falls outside the current segment range [svcn, evcn1), find and load the attribute segment containing vcn0 before performing the run lookup.

The following scenario triggers the bug: attr_data_get_block_locked() vcn = vcn0 & cmask <- vcn != vcn0 after frame alignment load runs for vcn segment <- vcn0 segment not loaded! attr_allocate_clusters() <- allocation succeeds run_lookup_entry(vcn0) <- vcn0 not in run -> SPARSE_LCN WARN_ON(1) <- bug fires here!

AnalysisAI

Kernel availability impact in the Linux NTFS3 filesystem driver allows a local low-privileged user to trigger a WARN_ON(1) in attr_data_get_block_locked() by accessing NTFS volumes containing compressed or sparse attributes with frame-aligned cluster boundaries. The root cause is a missing run-segment load for vcn0 when it resides in a different attribute segment than vcn after cmask rounding, causing run_lookup_entry() to return SPARSE_LCN and fire the kernel warning. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local user account access
Delivery
Create or mount crafted NTFS volume with compressed/sparse frame-aligned attribute
Exploit
Access target file to trigger attr_data_get_block_locked()
Execution
vcn0 segment not loaded into run list
Persist
run_lookup_entry(vcn0) returns SPARSE_LCN
Impact
WARN_ON(1) fires causing kernel availability impact

Vulnerability AssessmentAI

Exploitation Exploitation requires local system access with at least low-level user privileges (confirmed by CVSS PR:L), a vulnerable Linux kernel (approximately 6.1.132 or within the 6.2-era commit range prior to the fix), and the ntfs3 kernel module loaded. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 5.5 Medium (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) accurately captures the local-only reach, low-privilege requirement, and exclusive availability impact with no confidentiality or integrity effects. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user with a standard account on a vulnerable Linux system creates or mounts an NTFS volume containing compressed or sparse files whose cluster allocation produces a frame-aligned vcn boundary (vcn0 != vcn). Accessing the file triggers attr_data_get_block_locked() to load runs for the vcn segment while leaving the vcn0 segment unloaded; the subsequent run_lookup_entry(vcn0) call returns SPARSE_LCN and fires WARN_ON(1), potentially disrupting kernel operation or generating persistent kernel log errors. …
Remediation The primary remediation is upgrading to a patched kernel version: Linux 7.0.10 or 7.1 per EUVD-2026-38895, incorporating fix commits 2b4ae1ce613ade8a7e118fba4a5a77cd23e97e54 and d7ea8495fd307b58f8867acd81a1b40075b1d3ba (https://git.kernel.org/stable/c/2b4ae1ce613ade8a7e118fba4a5a77cd23e97e54 and https://git.kernel.org/stable/c/d7ea8495fd307b58f8867acd81a1b40075b1d3ba). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53027 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy