CVE-2025-40313

Vulnerability

Description

The ntfs3 driver in the Linux kernel failed to assign a valid inode type (S_IFDIR/S_IFLNK/S_IFREG/etc.) to $Extend special records. A kernel change (commit af153bb63a33) in the VFS layer made may_open() strictly validate that every inode belongs to one of the standard file types. This caused the ntfs3 driver to fail the VFS check, leading to mount failures or other operational issues [1][2][3].

Attack

Surface

The vulnerability is triggered simply by mounting an NTFS volume that contains $Extend records (common on modern NTFS filesystems). No special attacker capabilities are required—the kernel's VFS layer denies access to the inode due to the missing type flag. This is a logic/validation issue, not a memory corruption or privilege escalation bug.

Impact

The immediate impact is that filesystem operations on affected NTFS volumes, especially those involving $Extend metadata, may fail. This can prevent the volume from being mounted correctly or cause access errors to certain files. Under normal circumstances, this does not allow arbitrary code execution or privilege escalation, but it does disrupt legitimate filesystem access.

Mitigation

Status

The fix was applied to the Linux kernel stable tree. It assigns S_IFREG to $Extend records, making them pass VFS validation. Users should update to a kernel version containing the fix from commits 78d46f5276ed, 63eb6730ce06, or 4e8011ffec79 [1][2][3].