CVE-2025-71067
Description
In the Linux kernel, the following vulnerability has been resolved:
ntfs: set dummy blocksize to read boot_block when mounting
When mounting, sb->s_blocksize is used to read the boot_block without being defined or validated. Set a dummy blocksize before attempting to read the boot_block.
The issue can be triggered with the following syz reproducer:
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./file1\x00', 0x0) r4 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040), 0x121403, 0x0) ioctl$FS_IOC_SETFLAGS(r4, 0x40081271, &(0x7f0000000980)=0x4000) mount(&(0x7f0000000140)=@nullb, &(0x7f0000000040)='./cgroup\x00', &(0x7f0000000000)='ntfs3\x00', 0x2208004, 0x0) syz_clone(0x88200200, 0x0, 0x0, 0x0, 0x0, 0x0)
Here, the ioctl sets the bdev block size to 16384. During mount, get_tree_bdev_flags() calls sb_set_blocksize(sb, block_size(bdev)), but since block_size(bdev) > PAGE_SIZE, sb_set_blocksize() leaves sb->s_blocksize at zero.
Later, ntfs_init_from_boot() attempts to read the boot_block while sb->s_blocksize is still zero, which triggers the bug.
[almaz.alexandrovich@paragon-software.com: changed comment style, added return value handling]
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A missing blocksize initialization in the NTFS3 driver during mount can cause a crash when a device block size exceeds PAGE_SIZE.
Vulnerability
Overview
CVE-2025-71067 is a bug in the Linux kernel's NTFS3 file system driver. During mount, the kernel's block device layer may set the superblock's s_blocksize to zero if the device's physical block size is larger than the system's page size (PAGE_SIZE). This occurs because sb_set_blocksize() does not override a value exceeding PAGE_SIZE, leaving the superblock with an undefined block size[1].
Exploitation
Scenario
An attacker with the ability to mount a crafted NTFS3 image can trigger the vulnerability. The exploit path involves setting the block device size to a value > PAGE_SIZE (e.g., 16384 on a 4096-byte page system) before mounting the NTFS3 volume. This can be achieved using the ioctl$FS_IOC_SETFLAGS call. When ntfs_init_from_boot() subsequently attempts to read the boot block using the zero s_blocksize, it causes a kernel crash[1].
Impact
Successful exploitation leads to a denial of service (system crash) due to an incorrect memory access. The prerequisite is the ability to mount a malicious NTFS3 volume, but no special privileges beyond the global mount capability are required on a default Linux system. The bug was reproduced via a syzkaller-generated test case[1].
Mitigation
The fix, applied in the Linux kernel stable git commits (references [1], [2], [3]), sets a temporary dummy blocksize in the mounting code before reading the boot block. This ensures the read operation uses a valid block size even if the later sb_set_blocksize() fails. Users should update their kernels to include one of the cherry-picked commits.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- git.kernel.org/stable/c/0c9327c8abf9c8f046e45008bb43d94d8ee5c6c5nvd
- git.kernel.org/stable/c/44a38eb4f7876513db5a1bccde74de9bc4389d43nvd
- git.kernel.org/stable/c/4fff9a625da958a33191c8553a03283786f9f417nvd
- git.kernel.org/stable/c/b3c151fe8f543f1a0b8b5df16ce5d97afa5ec85anvd
- git.kernel.org/stable/c/d1693a7d5a38acf6424235a6070bcf5b186a360dnvd
News mentions
0No linked articles in our index yet.