Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Local access and low privileges required to mount and access an NTFS volume; no confidentiality or integrity impact; availability impact via kernel WARN_ON is high.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
fs/ntfs3: fix missing run load for vcn0 in attr_data_get_block_locked()
When a compressed or sparse attribute has its clusters frame-aligned, vcn is rounded down to the frame start using cmask, which can result in vcn != vcn0. In this case, vcn and vcn0 may reside in different attribute segments.
The code already handles the case where vcn is in a different segment by loading its runs before allocation. However, it fails to load runs for vcn0 when vcn0 resides in a different segment than vcn. This causes run_lookup_entry() to return SPARSE_LCN for vcn0 since its segment was never loaded into the in-memory run list, triggering the WARN_ON(1).
Fix this by adding a missing check for vcn0 after the existing vcn segment check. If vcn0 falls outside the current segment range [svcn, evcn1), find and load the attribute segment containing vcn0 before performing the run lookup.
The following scenario triggers the bug: attr_data_get_block_locked() vcn = vcn0 & cmask <- vcn != vcn0 after frame alignment load runs for vcn segment <- vcn0 segment not loaded! attr_allocate_clusters() <- allocation succeeds run_lookup_entry(vcn0) <- vcn0 not in run -> SPARSE_LCN WARN_ON(1) <- bug fires here!
AnalysisAI
Kernel availability impact in the Linux NTFS3 filesystem driver allows a local low-privileged user to trigger a WARN_ON(1) in attr_data_get_block_locked() by accessing NTFS volumes containing compressed or sparse attributes with frame-aligned cluster boundaries. The root cause is a missing run-segment load for vcn0 when it resides in a different attribute segment than vcn after cmask rounding, causing run_lookup_entry() to return SPARSE_LCN and fire the kernel warning. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local system access with at least low-level user privileges (confirmed by CVSS PR:L), a vulnerable Linux kernel (approximately 6.1.132 or within the 6.2-era commit range prior to the fix), and the ntfs3 kernel module loaded. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 5.5 Medium (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) accurately captures the local-only reach, low-privilege requirement, and exclusive availability impact with no confidentiality or integrity effects. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user with a standard account on a vulnerable Linux system creates or mounts an NTFS volume containing compressed or sparse files whose cluster allocation produces a frame-aligned vcn boundary (vcn0 != vcn). Accessing the file triggers attr_data_get_block_locked() to load runs for the vcn segment while leaving the vcn0 segment unloaded; the subsequent run_lookup_entry(vcn0) call returns SPARSE_LCN and fires WARN_ON(1), potentially disrupting kernel operation or generating persistent kernel log errors. … |
| Remediation | The primary remediation is upgrading to a patched kernel version: Linux 7.0.10 or 7.1 per EUVD-2026-38895, incorporating fix commits 2b4ae1ce613ade8a7e118fba4a5a77cd23e97e54 and d7ea8495fd307b58f8867acd81a1b40075b1d3ba (https://git.kernel.org/stable/c/2b4ae1ce613ade8a7e118fba4a5a77cd23e97e54 and https://git.kernel.org/stable/c/d7ea8495fd307b58f8867acd81a1b40075b1d3ba). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38895
GHSA-mcqq-386f-gvf4