CVE-2025-71265
Description
In the Linux kernel, the following vulnerability has been resolved:
fs: ntfs3: fix infinite loop in attr_load_runs_range on inconsistent metadata
We found an infinite loop bug in the ntfs3 file system that can lead to a Denial-of-Service (DoS) condition.
A malformed NTFS image can cause an infinite loop when an attribute header indicates an empty run list, while directory entries reference it as containing actual data. In NTFS, setting evcn=-1 with svcn=0 is a valid way to represent an empty run list, and run_unpack() correctly handles this by checking if evcn + 1 equals svcn and returning early without parsing any run data. However, this creates a problem when there is metadata inconsistency, where the attribute header claims to be empty (evcn=-1) but the caller expects to read actual data. When run_unpack() immediately returns success upon seeing this condition, it leaves the runs_tree uninitialized with run->runs as a NULL. The calling function attr_load_runs_range() assumes that a successful return means that the runs were loaded and sets clen to 0, expecting the next run_lookup_entry() call to succeed. Because runs_tree remains uninitialized, run_lookup_entry() continues to fail, and the loop increments vcn by zero (vcn += 0), leading to an infinite loop.
This patch adds a retry counter to detect when run_lookup_entry() fails consecutively after attr_load_runs_vcn(). If the run is still not found on the second attempt, it indicates corrupted metadata and returns -EINVAL, preventing the Denial-of-Service (DoS) vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel's ntfs3 filesystem, inconsistent metadata can trigger an infinite loop due to a NULL run list, leading to a denial-of-service (DoS) condition.
Vulnerability
Description
CVE-2025-71265 is a denial-of-service vulnerability in the Linux kernel's ntfs3 file system driver. The root cause is inconsistent metadata where an attribute header indicates an empty run list (by setting evcn = -1 and svcn = 0) but directory entries reference the same attribute as containing actual data [1]. The run_unpack() function correctly treats evcn = -1 as representing an empty run list and returns success without populating the runs_tree, leaving it in an uninitialized state with run->runs as a NULL pointer.
Exploitation
Conditions
An attacker with the ability to mount a crafted NTFS image can trigger the vulnerability. When attr_load_runs_range() calls run_unpack() and receives a successful return code, it assumes the runs have been loaded and sets clen = 0, expecting the next call to run_lookup_entry() to succeed. However, because runs_tree remains uninitialized (with a NULL runs pointer), run_lookup_entry() repeatedly fails. The loop then increments vcn by zero (vcn += 0), causing an infinite loop that consumes CPU resources indefinitely and results in a kernel hang or denial-of-service condition [1].
Impact
Successful exploitation causes a denial-of-service (DoS) attack against the system. The kernel thread handling the mount or file access becomes stuck in an infinite loop, potentially rendering the system unresponsive. The vulnerability requires local access to mount a malicious filesystem, making it a privilege escalation of a limited kind (from local user to system-wide DoS) [1].
Mitigation
Patches have been merged into the Linux kernel stable tree for multiple versions. The fix adds a retry counter to attr_load_runs_range(): if run_lookup_entry() fails consecutively on a second attempt, the function returns -EINVAL to signal corrupted metadata and break the loop, preventing the infinite wait [1][2][3][4]. Users should apply the latest kernel updates to protect against this issue. If patching is delayed, avoiding mounting untrusted NTFS images can reduce risk, though no comprehensive workaround exists.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Linux/Linuxv5Range: 5.15
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- git.kernel.org/stable/c/3c3a6e951b9b53dab2ac460a655313cf04c4a10anvdPatch
- git.kernel.org/stable/c/4b90f16e4bb5607fb35e7802eb67874038da4640nvdPatch
- git.kernel.org/stable/c/6f07a590616ff5f57f7c041d98e463fad9e9f763nvdPatch
- git.kernel.org/stable/c/78b61f7eac37a63284774b147f38dd0be6cad43cnvdPatch
- git.kernel.org/stable/c/a89bc96d5abd8a4a8d5d911884ea347efcdf460bnvdPatch
- git.kernel.org/stable/c/af839013c70a24779f9d1afb1575952009312d38nvdPatch
- git.kernel.org/stable/c/c0b43c45d45f59e7faad48675a50231a210c379bnvdPatch
News mentions
0No linked articles in our index yet.