CVE-2025-71312
Description
In the Linux kernel, the following vulnerability has been resolved:
fs/ntfs3: fix ntfs_mount_options leak in ntfs_fill_super()
In ntfs_fill_super(), the fc->fs_private pointer is set to NULL without first freeing the memory it points to. This causes the subsequent call to ntfs_fs_free() to skip freeing the ntfs_mount_options structure.
This results in a kmemleak report:
unreferenced object 0xff1100015378b800 (size 32): comm "mount", pid 582, jiffies 4294890685 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 ed ff ed ff 00 04 00 00 ................ backtrace (crc ed541d8c): __kmalloc_cache_noprof+0x424/0x5a0 __ntfs_init_fs_context+0x47/0x590 alloc_fs_context+0x5d8/0x960 __x64_sys_fsopen+0xb1/0x190 do_syscall_64+0x50/0x1f0 entry_SYSCALL_64_after_hwframe+0x76/0x7e
This issue can be reproduced using the following commands: fallocate -l 100M test.file mount test.file /tmp/test
Since sbi->options is duplicated from fc->fs_private and does not directly use the memory allocated for fs_private, it is unnecessary to set fc->fs_private to NULL.
Additionally, this patch simplifies the code by utilizing the helper function put_mount_options() instead of open-coding the cleanup logic.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A memory leak in the Linux kernel's ntfs3 driver occurs when ntfs_fill_super() NULLs the fs_private pointer without freeing its memory, affecting mount operations.
Vulnerability
In the Linux kernel's ntfs3 file-system driver, the function ntfs_fill_super() sets fc->fs_private to NULL without first freeing the memory allocated for the ntfs_mount_options structure. This causes a memory leak because the subsequent ntfs_fs_free() call skips freeing the mount-options structure. The issue affects kernel versions that include the ntfs3 driver and can be triggered by mounting a valid NTFS image or file. [1]
Exploitation
An attacker with local access to the system can exploit this by creating a file (e.g., via fallocate) and mounting it as an NTFS filesystem using the ntfs3 driver. The mount operation invokes the vulnerable code path, leading to memory allocation that is never freed. No special privileges beyond the ability to mount filesystems are required, though typically such operations are restricted to root or users with CAP_SYS_ADMIN capabilities. [1]
Impact
Successful exploitation results in a kernel memory leak. Over repeated mount/unmount cycles, this can exhaust kernel memory resources, leading to system instability or denial of service (DoS). The leak is visible through kmemleak reports, which show unreferenced memory of 32 bytes per mount attempt. There is no privilege escalation or data corruption. [1]
Mitigation
The fix is available in the Linux kernel stable tree starting from commits f7edab0cee03 and dac871d833b0 (referenced as [1] and [2]). These patches correct the error path by not setting fc->fs_private to NULL and by using the helper put_mount_options() to properly free the memory. Users should apply the latest stable kernel updates that include these commits. No workaround is available for unpatched kernels beyond avoiding mounting untrusted NTFS images. [1]
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
4f7edab0cee03fs/ntfs3: fix ntfs_mount_options leak in ntfs_fill_super()
1 file changed · +2 −8
fs/ntfs3/super.c+2 −8 modifieddiff --git a/fs/ntfs3/super.c b/fs/ntfs3/super.c index 1acc685625f73c..df65877f172c12 100644 --- a/fs/ntfs3/super.c +++ b/fs/ntfs3/super.c @@ -705,9 +705,7 @@ static void ntfs_put_super(struct super_block *sb) ntfs_set_state(sbi, NTFS_DIRTY_CLEAR); if (sbi->options) { - unload_nls(sbi->options->nls); - kfree(sbi->options->nls_name); - kfree(sbi->options); + put_mount_options(sbi->options); sbi->options = NULL; } @@ -1253,7 +1251,6 @@ static int ntfs_fill_super(struct super_block *sb, struct fs_context *fc) } } sbi->options = options; - fc->fs_private = NULL; sb->s_flags |= SB_NODIRATIME; sb->s_magic = 0x7366746e; // "ntfs" sb->s_op = &ntfs_sops; @@ -1677,9 +1674,7 @@ put_inode_out: out: /* sbi->options == options */ if (options) { - unload_nls(options->nls); - kfree(options->nls_name); - kfree(options); + put_mount_options(sbi->options); sbi->options = NULL; } -- cgit 1.3-korg
dac871d833b0fs/ntfs3: fix ntfs_mount_options leak in ntfs_fill_super()
1 file changed · +2 −8
fs/ntfs3/super.c+2 −8 modifieddiff --git a/fs/ntfs3/super.c b/fs/ntfs3/super.c index 8b0cf0ed4f72cc..0567a3b224ed3d 100644 --- a/fs/ntfs3/super.c +++ b/fs/ntfs3/super.c @@ -705,9 +705,7 @@ static void ntfs_put_super(struct super_block *sb) ntfs_set_state(sbi, NTFS_DIRTY_CLEAR); if (sbi->options) { - unload_nls(sbi->options->nls); - kfree(sbi->options->nls_name); - kfree(sbi->options); + put_mount_options(sbi->options); sbi->options = NULL; } @@ -1253,7 +1251,6 @@ static int ntfs_fill_super(struct super_block *sb, struct fs_context *fc) } } sbi->options = options; - fc->fs_private = NULL; sb->s_flags |= SB_NODIRATIME; sb->s_magic = 0x7366746e; // "ntfs" sb->s_op = &ntfs_sops; @@ -1679,9 +1676,7 @@ put_inode_out: out: /* sbi->options == options */ if (options) { - unload_nls(options->nls); - kfree(options->nls_name); - kfree(options); + put_mount_options(sbi->options); sbi->options = NULL; } -- cgit 1.3-korg
dac871d833b0fs/ntfs3: fix ntfs_mount_options leak in ntfs_fill_super()
1 file changed · +2 −8
fs/ntfs3/super.c+2 −8 modifieddiff --git a/fs/ntfs3/super.c b/fs/ntfs3/super.c index 8b0cf0ed4f72cc..0567a3b224ed3d 100644 --- a/fs/ntfs3/super.c +++ b/fs/ntfs3/super.c @@ -705,9 +705,7 @@ static void ntfs_put_super(struct super_block *sb) ntfs_set_state(sbi, NTFS_DIRTY_CLEAR); if (sbi->options) { - unload_nls(sbi->options->nls); - kfree(sbi->options->nls_name); - kfree(sbi->options); + put_mount_options(sbi->options); sbi->options = NULL; } @@ -1253,7 +1251,6 @@ static int ntfs_fill_super(struct super_block *sb, struct fs_context *fc) } } sbi->options = options; - fc->fs_private = NULL; sb->s_flags |= SB_NODIRATIME; sb->s_magic = 0x7366746e; // "ntfs" sb->s_op = &ntfs_sops; @@ -1679,9 +1676,7 @@ put_inode_out: out: /* sbi->options == options */ if (options) { - unload_nls(options->nls); - kfree(options->nls_name); - kfree(options); + put_mount_options(sbi->options); sbi->options = NULL; } -- cgit 1.3-korg
f7edab0cee03fs/ntfs3: fix ntfs_mount_options leak in ntfs_fill_super()
1 file changed · +2 −8
fs/ntfs3/super.c+2 −8 modifieddiff --git a/fs/ntfs3/super.c b/fs/ntfs3/super.c index 1acc685625f73c..df65877f172c12 100644 --- a/fs/ntfs3/super.c +++ b/fs/ntfs3/super.c @@ -705,9 +705,7 @@ static void ntfs_put_super(struct super_block *sb) ntfs_set_state(sbi, NTFS_DIRTY_CLEAR); if (sbi->options) { - unload_nls(sbi->options->nls); - kfree(sbi->options->nls_name); - kfree(sbi->options); + put_mount_options(sbi->options); sbi->options = NULL; } @@ -1253,7 +1251,6 @@ static int ntfs_fill_super(struct super_block *sb, struct fs_context *fc) } } sbi->options = options; - fc->fs_private = NULL; sb->s_flags |= SB_NODIRATIME; sb->s_magic = 0x7366746e; // "ntfs" sb->s_op = &ntfs_sops; @@ -1677,9 +1674,7 @@ put_inode_out: out: /* sbi->options == options */ if (options) { - unload_nls(options->nls); - kfree(options->nls_name); - kfree(options); + put_mount_options(sbi->options); sbi->options = NULL; } -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Setting fc->fs_private to NULL without freeing the ntfs_mount_options structure causes a memory leak because ntfs_fs_free() skips deallocation when the pointer is NULL."
Attack vector
An attacker with the ability to mount a crafted NTFS filesystem image (e.g., via `mount test.file /tmp/test`) triggers the memory leak. When `ntfs_fill_super()` succeeds or fails, it sets `fc->fs_private = NULL` without freeing the `ntfs_mount_options` structure. The subsequent call to `ntfs_fs_free()` sees a NULL pointer and skips the deallocation, causing a kernel memory leak (kmemleak reports a 32-byte unreferenced object). No special privileges beyond mount access are required.
Affected code
The bug is in `fs/ntfs3/super.c` in the `ntfs_fill_super()` function. The line `fc->fs_private = NULL;` (removed by the patch) was placed after `sbi->options = options;`, which caused the memory allocated for `ntfs_mount_options` (via `__ntfs_init_fs_context`) to be orphaned. The same open-coded cleanup pattern (`unload_nls`, `kfree` of `nls_name`, `kfree` of options) existed in both `ntfs_put_super()` and the error path of `ntfs_fill_super()`.
What the fix does
The patch removes the line `fc->fs_private = NULL;` in `ntfs_fill_super()` so that the `ntfs_mount_options` pointer remains valid for `ntfs_fs_free()` to clean up. It also replaces the open-coded cleanup (calling `unload_nls()`, `kfree()` on `nls_name`, and `kfree()` on options) with the helper `put_mount_options()` in both `ntfs_put_super()` and the error path of `ntfs_fill_super()`. This ensures the mount options are properly freed regardless of the code path taken.
Preconditions
- authAbility to mount a filesystem (e.g., via mount command on a file or block device)
- inputAttacker must provide a crafted NTFS filesystem image or file
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.