CVE-2025-38707

Root

Cause

In the Linux kernel's NTFS3 filesystem driver (fs/ntfs3), the code lacked a sanity check ensuring that the length of a file name is smaller than the directory entry size [1]. This oversight can lead to memory corruption or other security violations when processing specially crafted NTFS directory entries.

Exploitation

An attacker who can control an NTFS filesystem image (e.g., by mounting a malicious USB drive or network share) could provide a directory entry with an overly long file name. No authentication or special privileges are needed beyond the ability to trigger a mount of the crafted volume. The vulnerability lies in the kernel's handling of the directory entry parsing, so it is accessible from user space through filesystem operations [1].

Impact

A successful exploit could lead to kernel memory corruption, potentially allowing an attacker to crash the system (denial of service) or, with further exploitation, achieve local privilege escalation. The CVSS v3 score of 7.8 (High) reflects the potential for high impact on confidentiality, integrity, and availability, assuming local access and low privileges [1].

Mitigation

Patches have been committed to the Linux kernel stable branches, as referenced in commits [2][3][4]; vendors such as Siemens have acknowledged the CVE in affected products like SIMATIC CN 4100 and recommend updating to fixed versions [1]. System administrators should apply the latest kernel updates from their distribution and ensure any NTFS3 usage is patched.