Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Local-only trigger via ntfs3 driver I/O, low-privilege user sufficient, no confidentiality or integrity impact confirmed.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
fs/ntfs3: prevent uninitialized lcn caused by zero len
syzbot reported a uninit-value in ntfs_iomap_begin [1].
Since runs was not touched yet, run_lookup_entry() immediately fails and returns false, which makes the value of "*len" 0. Simultaneously, the new value and err value are also 0, causing the logic in attr_data_get_block_locked() to jump directly to ok, ultimately resulting in *lcn being triggered before it is set [1].
In ntfs_iomap_begin(), the check for a 0 value in clen is moved forward to before updating lcn to avoid this [1].
[1] BUG: KMSAN: uninit-value in ntfs_iomap_begin+0x8c0/0x1460 fs/ntfs3/inode.c:825 ntfs_iomap_begin+0x8c0/0x1460 fs/ntfs3/inode.c:825 iomap_iter+0x9b7/0x1540 fs/iomap/iter.c:110
Local variable lcn created at: ntfs_iomap_begin+0x15d/0x1460 fs/ntfs3/inode.c:786
AnalysisAI
Uninitialized variable read in the NTFS3 filesystem driver (ntfs_iomap_begin()) of the Linux kernel allows a local authenticated user to crash the system by triggering a zero-length run condition that causes the lcn (logical cluster number) variable to be consumed before assignment. The flaw affects Linux 7.0 up to 7.0.10 and Linux 7.1 prior to the stable fix commits, with the defect discovered and confirmed by Google syzbot via KMSAN. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local shell access with at least low-privilege credentials (consistent with PR:L in the CVSS vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, score 5.5 Medium) correctly captures the threat model: local, low-privilege access is required, with the sole confirmed impact being availability (kernel crash). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user with shell access on a vulnerable Linux system inserts or presents a crafted NTFS disk image or USB volume designed to produce a zero-length run entry in the ntfs3 run list. When the system mounts and accesses the volume via the ntfs3 driver, `ntfs_iomap_begin()` encounters the malformed run, `run_lookup_entry()` returns false with `*len` set to zero, and the uninitialized `lcn` variable is passed onward, triggering undefined kernel behavior - likely a kernel panic - that causes a full system crash and denial of service for all users. … |
| Remediation | The primary remediation is upgrading to Linux 7.0.10 or applying the Linux 7.1 patch commit `e98266e823a1fa06fe6499df61aeaac2fd6f7a49`, both referenced at https://git.kernel.org/stable/c/485f750cac3d8bdf5552a0e3d79ce5e3a03ece49 and https://git.kernel.org/stable/c/e98266e823a1fa06fe6499df61aeaac2fd6f7a49. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-908 – Use of Uninitialized Resource
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38897
GHSA-hw8w-qhg7-g497