Skip to main content

Linux Kernel EUVDEUVD-2026-38891

| CVE-2026-53023 MEDIUM
2026-06-24 Linux GHSA-fw3c-7wwh-rhhf
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local filesystem mount access required (AV:L, PR:L); no confirmed confidentiality or integrity impact; kernel OOB read drives A:H with unchanged scope.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 15, 2026 - 14:08 vuln.today
CVSS changed
Jul 15, 2026 - 14:07 NVD
5.5 (MEDIUM)
Patch available
Jun 24, 2026 - 18:02 EUVD
CVE Published
Jun 24, 2026 - 16:29 nvd
MEDIUM 5.5
CVE Published
Jun 24, 2026 - 16:29 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

fs/ntfs3: terminate the cached volume label after UTF-8 conversion

ntfs_fill_super() loads the on-disk volume label with utf16s_to_utf8s() and stores the result in sbi->volume.label. The converted label is later exposed through ntfs3_label_show() using %s, but utf16s_to_utf8s() only returns the number of bytes written and does not add a trailing NUL.

If the converted label fills the entire fixed buffer, ntfs3_label_show() can read past the end of sbi->volume.label while looking for a terminator.

Terminate the cached label explicitly after a successful conversion and clamp the exact-full case to the last byte of the buffer.

AnalysisAI

Missing NUL termination in the Linux kernel's ntfs3 filesystem driver allows a local attacker with filesystem mount privileges to trigger an out-of-bounds memory read, crashing the kernel. The defect in ntfs_fill_super() leaves sbi->volume.label unterminated when a UTF-16 volume label converts to a UTF-8 string that exactly fills the fixed buffer, causing ntfs3_label_show() to read past the buffer boundary via a %s format specifier. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft NTFS image with exact-fill UTF-8 label
Delivery
Mount image via unprivileged user or auto-mounter
Exploit
ntfs_fill_super() converts label without NUL
Execution
Read sysfs label attribute via ntfs3_label_show()
Persist
Out-of-bounds read past sbi->volume.label
Impact
Kernel panic or adjacent memory exposure

Vulnerability AssessmentAI

Exploitation Exploitation requires local access to the target system and the ability to mount an NTFS filesystem, either through direct mount privileges or via auto-mounting daemons (udisks2/polkit) common on desktop Linux distributions. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is low-to-moderate despite the CVSS availability rating of High. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user with filesystem mount privileges - for example, via polkit or udisks2 on a desktop Linux system - crafts a malicious NTFS disk image whose volume label, after UTF-16 to UTF-8 conversion, exactly fills the kernel's fixed-size label buffer without leaving space for a NUL terminator. Upon mounting this image, ntfs_fill_super() stores the unterminated string; when any process subsequently reads the sysfs label attribute (e.g., /sys/fs/ntfs3/<device>/label), ntfs3_label_show() reads beyond the buffer boundary, potentially triggering a kernel panic and system crash. …
Remediation The primary fix is to upgrade to a patched kernel version for your stable branch: 5.15.209, 6.1.175, 6.6.141, 6.12.91, 6.18.33, or 7.0.10. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38891 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy