Skip to main content

Linux Kernel CVE-2026-53029

| EUVDEUVD-2026-38897 MEDIUM
Use of Uninitialized Resource (CWE-908)
2026-06-24 Linux GHSA-hw8w-qhg7-g497
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local-only trigger via ntfs3 driver I/O, low-privilege user sufficient, no confidentiality or integrity impact confirmed.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 15, 2026 - 17:01 vuln.today
CVSS changed
Jul 15, 2026 - 14:52 NVD
5.5 (MEDIUM)
Patch available
Jun 24, 2026 - 18:02 EUVD
CVE Published
Jun 24, 2026 - 16:29 nvd
MEDIUM 5.5
CVE Published
Jun 24, 2026 - 16:29 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

fs/ntfs3: prevent uninitialized lcn caused by zero len

syzbot reported a uninit-value in ntfs_iomap_begin [1].

Since runs was not touched yet, run_lookup_entry() immediately fails and returns false, which makes the value of "*len" 0. Simultaneously, the new value and err value are also 0, causing the logic in attr_data_get_block_locked() to jump directly to ok, ultimately resulting in *lcn being triggered before it is set [1].

In ntfs_iomap_begin(), the check for a 0 value in clen is moved forward to before updating lcn to avoid this [1].

[1] BUG: KMSAN: uninit-value in ntfs_iomap_begin+0x8c0/0x1460 fs/ntfs3/inode.c:825 ntfs_iomap_begin+0x8c0/0x1460 fs/ntfs3/inode.c:825 iomap_iter+0x9b7/0x1540 fs/iomap/iter.c:110

Local variable lcn created at: ntfs_iomap_begin+0x15d/0x1460 fs/ntfs3/inode.c:786

AnalysisAI

Uninitialized variable read in the NTFS3 filesystem driver (ntfs_iomap_begin()) of the Linux kernel allows a local authenticated user to crash the system by triggering a zero-length run condition that causes the lcn (logical cluster number) variable to be consumed before assignment. The flaw affects Linux 7.0 up to 7.0.10 and Linux 7.1 prior to the stable fix commits, with the defect discovered and confirmed by Google syzbot via KMSAN. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local user shell access
Delivery
Present crafted or malformed NTFS volume to ntfs3 driver
Exploit
Trigger zero-length run_lookup_entry() returning false
Execution
Control flow bypasses lcn assignment
Persist
Read uninitialized lcn stack variable
Impact
Kernel undefined behavior causes system crash

Vulnerability AssessmentAI

Exploitation Exploitation requires local shell access with at least low-privilege credentials (consistent with PR:L in the CVSS vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, score 5.5 Medium) correctly captures the threat model: local, low-privilege access is required, with the sole confirmed impact being availability (kernel crash). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user with shell access on a vulnerable Linux system inserts or presents a crafted NTFS disk image or USB volume designed to produce a zero-length run entry in the ntfs3 run list. When the system mounts and accesses the volume via the ntfs3 driver, `ntfs_iomap_begin()` encounters the malformed run, `run_lookup_entry()` returns false with `*len` set to zero, and the uninitialized `lcn` variable is passed onward, triggering undefined kernel behavior - likely a kernel panic - that causes a full system crash and denial of service for all users. …
Remediation The primary remediation is upgrading to Linux 7.0.10 or applying the Linux 7.1 patch commit `e98266e823a1fa06fe6499df61aeaac2fd6f7a49`, both referenced at https://git.kernel.org/stable/c/485f750cac3d8bdf5552a0e3d79ce5e3a03ece49 and https://git.kernel.org/stable/c/e98266e823a1fa06fe6499df61aeaac2fd6f7a49. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53029 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy