Skip to main content

Linux Kernel EUVDEUVD-2026-32444

| CVE-2026-46062 HIGH
Integer Overflow or Wraparound (CWE-190)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-68g3-h729-p4rw
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:43 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.8 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ntfs3: fix integer overflow in run_unpack() volume boundary check

The volume boundary check lcn + len > sbi->used.bitmap.nbits uses raw addition which can wrap around for large lcn and len values, bypassing the validation. Use check_add_overflow() as is already done for the adjacent prev_lcn + dlcn and vcn64 + len checks added by commit 3ac37e100385 ("ntfs3: Fix integer overflow in run_unpack()").

Found by fuzzing with a source-patched harness (LibAFL + QEMU).

AnalysisAI

Integer overflow in the Linux kernel's ntfs3 filesystem driver allows local attackers to bypass volume boundary validation when mounting or accessing a crafted NTFS volume, leading to memory corruption with high confidentiality, integrity, and availability impact. The flaw resides in run_unpack() where the check lcn + len > sbi->used.bitmap.nbits performs raw addition that wraps for large values, sidestepping the bounds check. No public exploit identified at time of analysis and EPSS is very low (0.02%), but CVSS 7.8 with required user interaction reflects realistic local privilege-escalation potential when untrusted NTFS media is processed.

Technical ContextAI

The vulnerability is in fs/ntfs3, the in-kernel NTFS read/write driver that replaced the legacy ntfs read-only driver in Linux 5.15. The run_unpack() function decodes runlists - the compact on-disk representation NTFS uses to map virtual cluster numbers (VCN) to logical cluster numbers (LCN). The driver validates that an LCN range falls within the volume bitmap by computing lcn + len, but because both values are attacker-controlled and unbounded, the sum can wrap past SIZE_MAX/UINT64_MAX and produce a small result that passes the comparison. This is a classic CWE-190 (Integer Overflow or Wraparound) leading to CWE-787-style out-of-bounds writes/reads downstream. The fix mirrors the pattern already used by commit 3ac37e100385 for adjacent checks, switching to the kernel's check_add_overflow() helper which performs overflow-aware arithmetic.

RemediationAI

Vendor-released patch: upgrade to Linux 6.6.140, 6.12.86, 7.0.4, 6.18.27, or 7.1-rc1 (or any later release in those series), referencing the stable commits at https://git.kernel.org/stable/c/60dab3e2931f3d792438a77a6cb0cb731c43300b and the four sibling commits listed in the references. For systems that cannot patch immediately, the most effective compensating control is to disable the ntfs3 driver by blacklisting the module (echo 'blacklist ntfs3' > /etc/modprobe.d/blacklist-ntfs3.conf and rebuild initramfs) - the trade-off is loss of read/write access to NTFS volumes, which may break workflows that rely on Windows-formatted media. Where the driver must remain loaded, disable udisks2/auto-mount policies for removable devices and restrict mount privileges to administrators only, accepting that interactive users will need elevated permissions for legitimate NTFS use. Avoid mounting NTFS images from untrusted sources (email attachments, downloaded disk images, untrusted USB devices) in the interim.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-32444 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy