Skip to main content

Linux Kernel EUVDEUVD-2026-32219

| CVE-2026-45935 HIGH
Out-of-bounds Read (CWE-125)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-4cvx-h6xx-mj53
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:29 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.8 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

fs/ntfs3: Fix slab-out-of-bounds read in DeleteIndexEntryRoot

In the 'DeleteIndexEntryRoot' case of the 'do_action' function, the entry size ('esize') is retrieved from the log record without adequate bounds checking.

Specifically, the code calculates the end of the entry ('e2') using: e2 = Add2Ptr(e1, esize);

It then calculates the size for memmove using 'PtrOffset(e2, ...)', which subtracts the end pointer from the buffer limit. If 'esize' is maliciously large, 'e2' exceeds the used buffer size. This results in a negative offset which, when cast to size_t for memmove, interprets as a massive unsigned integer, leading to a heap buffer overflow.

This commit adds a check to ensure that the entry size ('esize') strictly fits within the remaining used space of the index header before performing memory operations.

AnalysisAI

Heap buffer overflow read in the Linux kernel's NTFS3 filesystem driver allows local attackers to trigger out-of-bounds memory access by mounting or processing a maliciously crafted NTFS volume. The flaw resides in the DeleteIndexEntryRoot path of the do_action function, where an attacker-controlled entry size ('esize') bypasses bounds checks and causes memmove to operate on an unsigned-converted negative offset. EPSS scores exploitation probability at 0.03% (9th percentile) and no public exploit has been identified at time of analysis.

Technical ContextAI

The vulnerability lives in fs/ntfs3/fslog.c, the journal/log replay subsystem of the NTFS3 in-tree filesystem driver introduced in Linux 5.15 to provide read/write support for Microsoft NTFS volumes. During replay of a DeleteIndexEntryRoot log action, the code reads an attacker-controlled entry size from a log record and computes a pointer e2 via Add2Ptr(e1, esize) without validating that esize fits within the remaining index header buffer. The subsequent PtrOffset(e2, end) calculation produces a negative ptrdiff that, when implicitly converted to memmove's size_t length argument, becomes a near-SIZE_MAX value - triggering a heap out-of-bounds read. This is a classic CWE-125 (Out-of-bounds Read) / CWE-787 family bug combined with CWE-681 (Incorrect Conversion between Numeric Types).

RemediationAI

Vendor-released patches are available: upgrade to Linux 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.14, 6.19.4 or later depending on your stable branch, picking the commits 36c03f7f, 78942172, a584b9d1, b271c9cb, b2bc7c44, c065541b, and f3b437a4 from git.kernel.org/stable if backporting manually. Where immediate patching is not feasible, the most effective compensating control is to prevent untrusted NTFS volumes from being processed by ntfs3 - either blacklist the ntfs3 kernel module (echo 'blacklist ntfs3' to /etc/modprobe.d/) or disable automount for removable media in udisks2/GNOME/KDE settings, accepting the trade-off that users lose transparent NTFS read/write support and must mount trusted volumes manually. Distribution advisories should be tracked at vendor channels (e.g. Debian DSA, Ubuntu USN, RHEL errata) once published; only the upstream git.kernel.org references are available at time of analysis.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-32219 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy