CVE-2025-71311
Description
In the Linux kernel, the following vulnerability has been resolved:
fs/ntfs3: Initialize new folios before use
KMSAN reports an uninitialized value in longest_match_std(), invoked from ntfs_compress_write(). When new folios are allocated without being marked uptodate and ni_read_frame() is skipped because the caller expects the frame to be completely overwritten, some reserved folios may remain only partially filled, leaving the rest memory uninitialized.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel's ntfs3 filesystem, newly allocated folios are not initialized before use, leading to potential information disclosure via uninitialized memory in ntfs_compress_write().
Vulnerability
In the Linux kernel's ntfs3 filesystem, a vulnerability exists in the compression write path. When new folios are allocated without being marked uptodate and ni_read_frame() is skipped because the caller expects the frame to be completely overwritten, some reserved folios may remain only partially filled, leaving the rest of memory uninitialized. This uninitialized data is then used in longest_match_std() invoked from ntfs_compress_write(), as reported by KMSAN [1]. The issue affects the ntfs3 driver in the Linux kernel.
Exploitation
An attacker would need the ability to trigger the ntfs3 compression write path, which requires write access to an NTFS volume mounted with the ntfs3 driver. The attacker must craft a write operation that causes the kernel to allocate new folios and skip reading the existing frame, leading to partial initialization. No special privileges beyond normal file write access are required.
Impact
The uninitialized memory may contain sensitive kernel data, potentially leading to information disclosure. The KMSAN report indicates that the uninitialized value is used in longest_match_std(), which could leak kernel memory contents to userspace or to other parts of the kernel. The impact is limited to information disclosure; no code execution or privilege escalation is indicated.
Mitigation
The fix is included in the Linux kernel stable tree via commit [1]. Users should update to a kernel version containing this commit. The specific commit is 41d79f8e2a36 (and equivalent stable backports). No workaround is available; updating the kernel is the recommended mitigation.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
841d79f8e2a36fs/ntfs3: Initialize new folios before use
1 file changed · +1 −2
fs/ntfs3/file.c+1 −2 modifieddiff --git a/fs/ntfs3/file.c b/fs/ntfs3/file.c index 2e7b2e566ebe18..732260087066d7 100644 --- a/fs/ntfs3/file.c +++ b/fs/ntfs3/file.c @@ -995,7 +995,7 @@ static int ntfs_get_frame_pages(struct address_space *mapping, pgoff_t index, folio = __filemap_get_folio(mapping, index, FGP_LOCK | FGP_ACCESSED | FGP_CREAT, - gfp_mask); + gfp_mask | __GFP_ZERO); if (IS_ERR(folio)) { while (npages--) { folio = page_folio(pages[npages]); -- cgit 1.3-korg
f223ebffa185fs/ntfs3: Initialize new folios before use
1 file changed · +1 −2
fs/ntfs3/file.c+1 −2 modifieddiff --git a/fs/ntfs3/file.c b/fs/ntfs3/file.c index 2e7b2e566ebe18..732260087066d7 100644 --- a/fs/ntfs3/file.c +++ b/fs/ntfs3/file.c @@ -995,7 +995,7 @@ static int ntfs_get_frame_pages(struct address_space *mapping, pgoff_t index, folio = __filemap_get_folio(mapping, index, FGP_LOCK | FGP_ACCESSED | FGP_CREAT, - gfp_mask); + gfp_mask | __GFP_ZERO); if (IS_ERR(folio)) { while (npages--) { folio = page_folio(pages[npages]); -- cgit 1.3-korg
5a30cc03bde1fs/ntfs3: Initialize new folios before use
1 file changed · +1 −2
fs/ntfs3/file.c+1 −2 modifieddiff --git a/fs/ntfs3/file.c b/fs/ntfs3/file.c index 83f0072f0896c7..3e61eaf28e0885 100644 --- a/fs/ntfs3/file.c +++ b/fs/ntfs3/file.c @@ -930,7 +930,7 @@ static int ntfs_get_frame_pages(struct address_space *mapping, pgoff_t index, folio = __filemap_get_folio(mapping, index, FGP_LOCK | FGP_ACCESSED | FGP_CREAT, - gfp_mask); + gfp_mask | __GFP_ZERO); if (IS_ERR(folio)) { while (npages--) { folio = page_folio(pages[npages]); -- cgit 1.3-korg
dd6c81527d09fs/ntfs3: Initialize new folios before use
1 file changed · +1 −2
fs/ntfs3/file.c+1 −2 modifieddiff --git a/fs/ntfs3/file.c b/fs/ntfs3/file.c index f1122ac5be622c..23a637cdb0810c 100644 --- a/fs/ntfs3/file.c +++ b/fs/ntfs3/file.c @@ -964,7 +964,7 @@ static int ntfs_get_frame_pages(struct address_space *mapping, pgoff_t index, folio = __filemap_get_folio(mapping, index, FGP_LOCK | FGP_ACCESSED | FGP_CREAT, - gfp_mask); + gfp_mask | __GFP_ZERO); if (IS_ERR(folio)) { while (npages--) { folio = page_folio(pages[npages]); -- cgit 1.3-korg
dd6c81527d09fs/ntfs3: Initialize new folios before use
1 file changed · +1 −2
fs/ntfs3/file.c+1 −2 modifieddiff --git a/fs/ntfs3/file.c b/fs/ntfs3/file.c index f1122ac5be622c..23a637cdb0810c 100644 --- a/fs/ntfs3/file.c +++ b/fs/ntfs3/file.c @@ -964,7 +964,7 @@ static int ntfs_get_frame_pages(struct address_space *mapping, pgoff_t index, folio = __filemap_get_folio(mapping, index, FGP_LOCK | FGP_ACCESSED | FGP_CREAT, - gfp_mask); + gfp_mask | __GFP_ZERO); if (IS_ERR(folio)) { while (npages--) { folio = page_folio(pages[npages]); -- cgit 1.3-korg
5a30cc03bde1fs/ntfs3: Initialize new folios before use
1 file changed · +1 −2
fs/ntfs3/file.c+1 −2 modifieddiff --git a/fs/ntfs3/file.c b/fs/ntfs3/file.c index 83f0072f0896c7..3e61eaf28e0885 100644 --- a/fs/ntfs3/file.c +++ b/fs/ntfs3/file.c @@ -930,7 +930,7 @@ static int ntfs_get_frame_pages(struct address_space *mapping, pgoff_t index, folio = __filemap_get_folio(mapping, index, FGP_LOCK | FGP_ACCESSED | FGP_CREAT, - gfp_mask); + gfp_mask | __GFP_ZERO); if (IS_ERR(folio)) { while (npages--) { folio = page_folio(pages[npages]); -- cgit 1.3-korg
f223ebffa185fs/ntfs3: Initialize new folios before use
1 file changed · +1 −2
fs/ntfs3/file.c+1 −2 modifieddiff --git a/fs/ntfs3/file.c b/fs/ntfs3/file.c index 2e7b2e566ebe18..732260087066d7 100644 --- a/fs/ntfs3/file.c +++ b/fs/ntfs3/file.c @@ -995,7 +995,7 @@ static int ntfs_get_frame_pages(struct address_space *mapping, pgoff_t index, folio = __filemap_get_folio(mapping, index, FGP_LOCK | FGP_ACCESSED | FGP_CREAT, - gfp_mask); + gfp_mask | __GFP_ZERO); if (IS_ERR(folio)) { while (npages--) { folio = page_folio(pages[npages]); -- cgit 1.3-korg
41d79f8e2a36fs/ntfs3: Initialize new folios before use
1 file changed · +1 −2
fs/ntfs3/file.c+1 −2 modifieddiff --git a/fs/ntfs3/file.c b/fs/ntfs3/file.c index 2e7b2e566ebe18..732260087066d7 100644 --- a/fs/ntfs3/file.c +++ b/fs/ntfs3/file.c @@ -995,7 +995,7 @@ static int ntfs_get_frame_pages(struct address_space *mapping, pgoff_t index, folio = __filemap_get_folio(mapping, index, FGP_LOCK | FGP_ACCESSED | FGP_CREAT, - gfp_mask); + gfp_mask | __GFP_ZERO); if (IS_ERR(folio)) { while (npages--) { folio = page_folio(pages[npages]); -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"New folios allocated in ntfs_get_frame_pages() are not zero-initialized, so when ni_read_frame() is skipped (because the caller expects the frame to be completely overwritten), the folios contain uninitialized memory that is later read by longest_match_std()."
Attack vector
An attacker can trigger this by performing a compressed write to an NTFS3 file where the target frame is expected to be completely overwritten, causing ntfs_get_frame_pages() to allocate new folios without reading the existing frame data. Because the folios are not zeroed (missing __GFP_ZERO), the uninitialized memory is later consumed by longest_match_std() during compression, which can leak sensitive kernel heap contents or cause undefined behavior. The bug is reachable via the ntfs_compress_write() code path with no special privileges beyond the ability to write to an NTFS3 filesystem.
Affected code
The vulnerable function is ntfs_get_frame_pages() in fs/ntfs3/file.c. The allocation call at line 995 (or equivalent line depending on kernel version) uses __filemap_get_folio() with FGP_LOCK | FGP_ACCESSED | FGP_CREAT but without __GFP_ZERO, leaving newly created folios uninitialized.
What the fix does
The patch adds the __GFP_ZERO flag to the gfp_mask passed to __filemap_get_folio() in ntfs_get_frame_pages() [patch_id=2662173]. This ensures that newly allocated folios are zero-initialized before use, eliminating the uninitialized memory that KMSAN detected in longest_match_std(). The change is a single-line addition of the flag to the existing allocation call in fs/ntfs3/file.c.
Preconditions
- configAttacker must be able to write to an NTFS3 filesystem (mount the filesystem and perform file writes).
- inputThe write must go through the compressed write path (ntfs_compress_write()) where the target frame is expected to be completely overwritten.
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.