Skip to main content

Linux Kernel NTFS3 EUVDEUVD-2025-209973

| CVE-2025-71309 MEDIUM
Improper Locking (CWE-667)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-fq5h-cm7q-5gg6
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local low-privilege access triggers race condition on compressed NTFS mount; no confidentiality or integrity impact, only availability loss confirmed.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
4.7 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 25, 2026 - 21:10 vuln.today
CVSS changed
Jun 25, 2026 - 21:07 NVD
5.5 (MEDIUM)
CVE Published
May 27, 2026 - 14:16 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:16 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

fs/ntfs3: fix deadlock in ni_read_folio_cmpr

Syzbot reported a task hung in ni_readpage_cmpr (now ni_read_folio_cmpr). This is caused by a lock inversion deadlock involving the inode mutex (ni_lock) and page locks.

Scenario:

  1. Task A enters ntfs_read_folio() for page X. It acquires ni_lock.
  2. Task A calls ni_read_folio_cmpr(), which attempts to lock all pages in

the compressed frame (including page Y).

  1. Concurrently, Task B (e.g., via readahead) has locked page Y and

calls ntfs_read_folio().

  1. Task B waits for ni_lock (held by A).
  2. Task A waits for page Y lock (held by B).

-> DEADLOCK.

The fix is to restructure locking: do not take ni_lock in ntfs_read_folio(). Instead, acquire ni_lock inside ni_read_folio_cmpr() ONLY AFTER all required page locks for the frame have been successfully acquired. This restores the correct lock ordering (Page Lock -> ni_lock) consistent with VFS.

[almaz.alexandrovich@paragon-software.com: ni_readpage_cmpr was renamed to ni_read_folio_cmpr]

AnalysisAI

Deadlock in the Linux kernel's NTFS3 compressed-file read path (fs/ntfs3) causes indefinite task hang and local denial of service when concurrent readers contend over compressed NTFS frames. The inode mutex (ni_lock) and VFS page locks are acquired in inverted order across two concurrent tasks - a classic ABBA deadlock first surfaced by Syzbot. Versions prior to 6.19.4 (stable) and 7.0 (mainline) are affected; no public exploit or active exploitation has been identified, and the EPSS score of 0.02% (5th percentile) reflects the narrow, configuration-specific conditions required.

Technical ContextAI

The vulnerability resides in fs/ntfs3/page.c within the ni_read_folio_cmpr() function (previously ni_readpage_cmpr()), the kernel routine responsible for reading compressed data frames from NTFS volumes formatted with Windows NTFS file-level compression. NTFS3 is the modern in-tree Linux NTFS driver contributed by Paragon Software. CWE-667 (Improper Locking) precisely identifies the root cause: Task A holds ni_lock and then tries to lock all pages in a compressed frame, while Task B holds one of those page locks via readahead and blocks waiting for ni_lock - resulting in mutual wait. The fix restores the VFS-mandated lock ordering (Page Lock before ni_lock) by acquiring all required page locks for the compressed frame before taking ni_lock inside ni_read_folio_cmpr(), and removing the ni_lock acquisition from ntfs_read_folio() entirely. The CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* covers all kernel versions, with the vulnerable range bounded by EUVD-identified commits from f35590ee26f5722bfe12cdff14396c4c057a8f74 up to fix commits cfe246b318106e1691bd6c9466c739e8559d25c2 and e37a75bb866c29da954b51d0dd7670406246d9ee.

RemediationAI

The primary fix is upgrading to Linux kernel 6.19.4 (stable series) or 7.0 (mainline), both confirmed by EUVD to contain the corrected lock ordering in fs/ntfs3. The authoritative fix commits are https://git.kernel.org/stable/c/cfe246b318106e1691bd6c9466c739e8559d25c2 and https://git.kernel.org/stable/c/e37a75bb866c29da954b51d0dd7670406246d9ee; distribution vendors (Red Hat, SUSE, Ubuntu, Debian) may backport these to supported kernel versions - consult their respective security advisories. If immediate kernel upgrade is not feasible, a targeted compensating control is to avoid mounting NTFS volumes that use Windows NTFS file-level compression (the 'compress' attribute applied to files or directories within the volume); volumes formatted without this attribute are not affected by this code path. Alternatively, if NTFS support is not required, removing or blacklisting the ntfs3 kernel module (modprobe -r ntfs3 and adding it to /etc/modprobe.d/blacklist.conf) eliminates the attack surface entirely, with the trade-off of losing native NTFS read/write capability for that system.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected

Share

EUVD-2025-209973 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy