CVE-2025-40068

Vulnerability

Overview

In the Linux kernel's NTFS3 filesystem driver, the run_unpack() function decodes compressed runlist data from MFT attributes (e.g., $DATA) into a runs_tree structure, mapping virtual clusters (VCN) to logical clusters (LCN). An integer overflow occurs in an addition operation during runlist decoding because the values extracted from the MFT record are not validated before being used in calculations. This flaw was discovered by the Linux Verification Center (linuxtesting.org) using the SVACE static analyzer [1].

Exploitation

An attacker with the ability to write to an NTFS volume can substitute the runlist in the $DATA attribute of an arbitrary file's MFT record. By crafting a runlist that triggers the integer overflow, the attacker can cause the kernel to misinterpret the file's cluster mapping. The NTFS3 subsystem also provides a shortcut for deleting files using the RUN_DEALLOCATE command, which passes data to run_unpack() without creating a runs_tree structure, potentially amplifying the impact.

Impact

Successful exploitation can lead to either accessing arbitrary data on the disk (bypassing inode-level access checks) or destroying arbitrary data on the disk. This effectively allows an unprivileged attacker to read or corrupt any sector on the filesystem, depending on how the overflow manipulates the calculated logical cluster number (LCN).

Mitigation

The vulnerability has been addressed by adding an overflow check for the addition operation in run_unpack(). Patches have been backported to stable kernel releases as commits [1], [2], and [3]. Users are strongly advised to update their kernels to include these fixes. No workarounds are currently available.