CVE-2026-45935
Description
In the Linux kernel, the following vulnerability has been resolved:
fs/ntfs3: Fix slab-out-of-bounds read in DeleteIndexEntryRoot
In the 'DeleteIndexEntryRoot' case of the 'do_action' function, the entry size ('esize') is retrieved from the log record without adequate bounds checking.
Specifically, the code calculates the end of the entry ('e2') using: e2 = Add2Ptr(e1, esize);
It then calculates the size for memmove using 'PtrOffset(e2, ...)', which subtracts the end pointer from the buffer limit. If 'esize' is maliciously large, 'e2' exceeds the used buffer size. This results in a negative offset which, when cast to size_t for memmove, interprets as a massive unsigned integer, leading to a heap buffer overflow.
This commit adds a check to ensure that the entry size ('esize') strictly fits within the remaining used space of the index header before performing memory operations.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A missing bounds check in NTFS3 driver's fs/ntfs3 leads to slab-out-of-bounds read via a crafted entry size in DeleteIndexEntryRoot.
Vulnerability
In the Linux kernel's NTFS3 filesystem driver (fs/ntfs3), the do_action function's DeleteIndexEntryRoot case lacks proper bounds checking on the entry size (esize) obtained from a log record. The code calculates the end pointer e2 using Add2Ptr(e1, esize) and then computes a memmove size via PtrOffset(e2, ...). If esize is maliciously large, e2 may exceed the used buffer, causing a negative offset that, when cast to size_t, becomes a huge unsigned value, leading to a heap buffer overflow. The vulnerability affects Linux kernel versions containing the NTFS3 driver prior to the commit a584b9d1059b.[1]
Exploitation
An attacker with the ability to write to a mounted NTFS3 filesystem (e.g., physically or via a malicious storage device) can craft a log record with an oversized entry size. When the kernel processes the index entry deletion operation via DeleteIndexEntryRoot, the flawed bounds check triggers a slab-out-of-bounds read. No additional user interaction or elevated privileges beyond write access to the filesystem are required.
Impact
Successful exploitation causes a heap buffer overflow that may lead to memory corruption, information disclosure, or denial of service (system crash). The out-of-bounds read occurs in kernel memory, potentially allowing an attacker to read sensitive data or destabilize the system.
Mitigation
The fix was committed to the Linux kernel stable tree as commit a584b9d1059b on or around May 27, 2026. Users should update to a kernel version containing this patch. No workarounds are available; disabling NTFS3 support or avoiding untrusted filesystem images may reduce exposure until patching is applied.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
14a584b9d1059bfs/ntfs3: Fix slab-out-of-bounds read in DeleteIndexEntryRoot
1 file changed · +3 −1
fs/ntfs3/fslog.c+3 −1 modifieddiff --git a/fs/ntfs3/fslog.c b/fs/ntfs3/fslog.c index 2a1aeab53ea4b5..598b7f42b5e7ec 100644 --- a/fs/ntfs3/fslog.c +++ b/fs/ntfs3/fslog.c @@ -3431,6 +3431,9 @@ move_data: e1 = Add2Ptr(attr, le16_to_cpu(lrh->attr_off)); esize = le16_to_cpu(e1->size); + if (PtrOffset(e1, Add2Ptr(hdr, used)) < esize) + goto dirty_vol; + e2 = Add2Ptr(e1, esize); memmove(e1, e2, PtrOffset(e2, Add2Ptr(hdr, used))); -- cgit 1.3-korg
36c03f7f177bfs/ntfs3: Fix slab-out-of-bounds read in DeleteIndexEntryRoot
1 file changed · +3 −1
fs/ntfs3/fslog.c+3 −1 modifieddiff --git a/fs/ntfs3/fslog.c b/fs/ntfs3/fslog.c index 6fddedca71f32c..d3d006b63b27ef 100644 --- a/fs/ntfs3/fslog.c +++ b/fs/ntfs3/fslog.c @@ -3434,6 +3434,9 @@ move_data: e1 = Add2Ptr(attr, le16_to_cpu(lrh->attr_off)); esize = le16_to_cpu(e1->size); + if (PtrOffset(e1, Add2Ptr(hdr, used)) < esize) + goto dirty_vol; + e2 = Add2Ptr(e1, esize); memmove(e1, e2, PtrOffset(e2, Add2Ptr(hdr, used))); -- cgit 1.3-korg
b271c9cb8592fs/ntfs3: Fix slab-out-of-bounds read in DeleteIndexEntryRoot
1 file changed · +3 −1
fs/ntfs3/fslog.c+3 −1 modifieddiff --git a/fs/ntfs3/fslog.c b/fs/ntfs3/fslog.c index 339ce5aa3c75bd..7e6937e7d471fd 100644 --- a/fs/ntfs3/fslog.c +++ b/fs/ntfs3/fslog.c @@ -3434,6 +3434,9 @@ move_data: e1 = Add2Ptr(attr, le16_to_cpu(lrh->attr_off)); esize = le16_to_cpu(e1->size); + if (PtrOffset(e1, Add2Ptr(hdr, used)) < esize) + goto dirty_vol; + e2 = Add2Ptr(e1, esize); memmove(e1, e2, PtrOffset(e2, Add2Ptr(hdr, used))); -- cgit 1.3-korg
c065541b71b7fs/ntfs3: Fix slab-out-of-bounds read in DeleteIndexEntryRoot
1 file changed · +3 −1
fs/ntfs3/fslog.c+3 −1 modifieddiff --git a/fs/ntfs3/fslog.c b/fs/ntfs3/fslog.c index d0d530f4e2b95e..5afe00972924c4 100644 --- a/fs/ntfs3/fslog.c +++ b/fs/ntfs3/fslog.c @@ -3431,6 +3431,9 @@ move_data: e1 = Add2Ptr(attr, le16_to_cpu(lrh->attr_off)); esize = le16_to_cpu(e1->size); + if (PtrOffset(e1, Add2Ptr(hdr, used)) < esize) + goto dirty_vol; + e2 = Add2Ptr(e1, esize); memmove(e1, e2, PtrOffset(e2, Add2Ptr(hdr, used))); -- cgit 1.3-korg
78942172d5bffs/ntfs3: Fix slab-out-of-bounds read in DeleteIndexEntryRoot
1 file changed · +3 −1
fs/ntfs3/fslog.c+3 −1 modifieddiff --git a/fs/ntfs3/fslog.c b/fs/ntfs3/fslog.c index 38934e6978ecec..28bd611f580d9c 100644 --- a/fs/ntfs3/fslog.c +++ b/fs/ntfs3/fslog.c @@ -3429,6 +3429,9 @@ move_data: e1 = Add2Ptr(attr, le16_to_cpu(lrh->attr_off)); esize = le16_to_cpu(e1->size); + if (PtrOffset(e1, Add2Ptr(hdr, used)) < esize) + goto dirty_vol; + e2 = Add2Ptr(e1, esize); memmove(e1, e2, PtrOffset(e2, Add2Ptr(hdr, used))); -- cgit 1.3-korg
f3b437a4c3e0fs/ntfs3: Fix slab-out-of-bounds read in DeleteIndexEntryRoot
1 file changed · +3 −1
fs/ntfs3/fslog.c+3 −1 modifieddiff --git a/fs/ntfs3/fslog.c b/fs/ntfs3/fslog.c index 38934e6978ecec..28bd611f580d9c 100644 --- a/fs/ntfs3/fslog.c +++ b/fs/ntfs3/fslog.c @@ -3429,6 +3429,9 @@ move_data: e1 = Add2Ptr(attr, le16_to_cpu(lrh->attr_off)); esize = le16_to_cpu(e1->size); + if (PtrOffset(e1, Add2Ptr(hdr, used)) < esize) + goto dirty_vol; + e2 = Add2Ptr(e1, esize); memmove(e1, e2, PtrOffset(e2, Add2Ptr(hdr, used))); -- cgit 1.3-korg
b2bc7c44ed17fs/ntfs3: Fix slab-out-of-bounds read in DeleteIndexEntryRoot
1 file changed · +3 −1
fs/ntfs3/fslog.c+3 −1 modifieddiff --git a/fs/ntfs3/fslog.c b/fs/ntfs3/fslog.c index 4ea94d53a81907..10863c83c31598 100644 --- a/fs/ntfs3/fslog.c +++ b/fs/ntfs3/fslog.c @@ -3431,6 +3431,9 @@ move_data: e1 = Add2Ptr(attr, le16_to_cpu(lrh->attr_off)); esize = le16_to_cpu(e1->size); + if (PtrOffset(e1, Add2Ptr(hdr, used)) < esize) + goto dirty_vol; + e2 = Add2Ptr(e1, esize); memmove(e1, e2, PtrOffset(e2, Add2Ptr(hdr, used))); -- cgit 1.3-korg
f3b437a4c3e0fs/ntfs3: Fix slab-out-of-bounds read in DeleteIndexEntryRoot
1 file changed · +3 −1
fs/ntfs3/fslog.c+3 −1 modifieddiff --git a/fs/ntfs3/fslog.c b/fs/ntfs3/fslog.c index 38934e6978ecec..28bd611f580d9c 100644 --- a/fs/ntfs3/fslog.c +++ b/fs/ntfs3/fslog.c @@ -3429,6 +3429,9 @@ move_data: e1 = Add2Ptr(attr, le16_to_cpu(lrh->attr_off)); esize = le16_to_cpu(e1->size); + if (PtrOffset(e1, Add2Ptr(hdr, used)) < esize) + goto dirty_vol; + e2 = Add2Ptr(e1, esize); memmove(e1, e2, PtrOffset(e2, Add2Ptr(hdr, used))); -- cgit 1.3-korg
36c03f7f177bfs/ntfs3: Fix slab-out-of-bounds read in DeleteIndexEntryRoot
1 file changed · +3 −1
fs/ntfs3/fslog.c+3 −1 modifieddiff --git a/fs/ntfs3/fslog.c b/fs/ntfs3/fslog.c index 6fddedca71f32c..d3d006b63b27ef 100644 --- a/fs/ntfs3/fslog.c +++ b/fs/ntfs3/fslog.c @@ -3434,6 +3434,9 @@ move_data: e1 = Add2Ptr(attr, le16_to_cpu(lrh->attr_off)); esize = le16_to_cpu(e1->size); + if (PtrOffset(e1, Add2Ptr(hdr, used)) < esize) + goto dirty_vol; + e2 = Add2Ptr(e1, esize); memmove(e1, e2, PtrOffset(e2, Add2Ptr(hdr, used))); -- cgit 1.3-korg
78942172d5bffs/ntfs3: Fix slab-out-of-bounds read in DeleteIndexEntryRoot
1 file changed · +3 −1
fs/ntfs3/fslog.c+3 −1 modifieddiff --git a/fs/ntfs3/fslog.c b/fs/ntfs3/fslog.c index 38934e6978ecec..28bd611f580d9c 100644 --- a/fs/ntfs3/fslog.c +++ b/fs/ntfs3/fslog.c @@ -3429,6 +3429,9 @@ move_data: e1 = Add2Ptr(attr, le16_to_cpu(lrh->attr_off)); esize = le16_to_cpu(e1->size); + if (PtrOffset(e1, Add2Ptr(hdr, used)) < esize) + goto dirty_vol; + e2 = Add2Ptr(e1, esize); memmove(e1, e2, PtrOffset(e2, Add2Ptr(hdr, used))); -- cgit 1.3-korg
a584b9d1059bfs/ntfs3: Fix slab-out-of-bounds read in DeleteIndexEntryRoot
1 file changed · +3 −1
fs/ntfs3/fslog.c+3 −1 modifieddiff --git a/fs/ntfs3/fslog.c b/fs/ntfs3/fslog.c index 2a1aeab53ea4b5..598b7f42b5e7ec 100644 --- a/fs/ntfs3/fslog.c +++ b/fs/ntfs3/fslog.c @@ -3431,6 +3431,9 @@ move_data: e1 = Add2Ptr(attr, le16_to_cpu(lrh->attr_off)); esize = le16_to_cpu(e1->size); + if (PtrOffset(e1, Add2Ptr(hdr, used)) < esize) + goto dirty_vol; + e2 = Add2Ptr(e1, esize); memmove(e1, e2, PtrOffset(e2, Add2Ptr(hdr, used))); -- cgit 1.3-korg
b271c9cb8592fs/ntfs3: Fix slab-out-of-bounds read in DeleteIndexEntryRoot
1 file changed · +3 −1
fs/ntfs3/fslog.c+3 −1 modifieddiff --git a/fs/ntfs3/fslog.c b/fs/ntfs3/fslog.c index 339ce5aa3c75bd..7e6937e7d471fd 100644 --- a/fs/ntfs3/fslog.c +++ b/fs/ntfs3/fslog.c @@ -3434,6 +3434,9 @@ move_data: e1 = Add2Ptr(attr, le16_to_cpu(lrh->attr_off)); esize = le16_to_cpu(e1->size); + if (PtrOffset(e1, Add2Ptr(hdr, used)) < esize) + goto dirty_vol; + e2 = Add2Ptr(e1, esize); memmove(e1, e2, PtrOffset(e2, Add2Ptr(hdr, used))); -- cgit 1.3-korg
b2bc7c44ed17fs/ntfs3: Fix slab-out-of-bounds read in DeleteIndexEntryRoot
1 file changed · +3 −1
fs/ntfs3/fslog.c+3 −1 modifieddiff --git a/fs/ntfs3/fslog.c b/fs/ntfs3/fslog.c index 4ea94d53a81907..10863c83c31598 100644 --- a/fs/ntfs3/fslog.c +++ b/fs/ntfs3/fslog.c @@ -3431,6 +3431,9 @@ move_data: e1 = Add2Ptr(attr, le16_to_cpu(lrh->attr_off)); esize = le16_to_cpu(e1->size); + if (PtrOffset(e1, Add2Ptr(hdr, used)) < esize) + goto dirty_vol; + e2 = Add2Ptr(e1, esize); memmove(e1, e2, PtrOffset(e2, Add2Ptr(hdr, used))); -- cgit 1.3-korg
c065541b71b7fs/ntfs3: Fix slab-out-of-bounds read in DeleteIndexEntryRoot
1 file changed · +3 −1
fs/ntfs3/fslog.c+3 −1 modifieddiff --git a/fs/ntfs3/fslog.c b/fs/ntfs3/fslog.c index d0d530f4e2b95e..5afe00972924c4 100644 --- a/fs/ntfs3/fslog.c +++ b/fs/ntfs3/fslog.c @@ -3431,6 +3431,9 @@ move_data: e1 = Add2Ptr(attr, le16_to_cpu(lrh->attr_off)); esize = le16_to_cpu(e1->size); + if (PtrOffset(e1, Add2Ptr(hdr, used)) < esize) + goto dirty_vol; + e2 = Add2Ptr(e1, esize); memmove(e1, e2, PtrOffset(e2, Add2Ptr(hdr, used))); -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Missing bounds check on entry size ('esize') read from a log record in the 'DeleteIndexEntryRoot' case of 'do_action' in fs/ntfs3/fslog.c allows a maliciously large value to cause a heap buffer overflow via memmove."
Attack vector
An attacker who can supply a crafted NTFS log file (or otherwise influence the replay of journal records) triggers the 'DeleteIndexEntryRoot' case in the 'do_action' function. The entry size ('esize') is read from the log record without validation [patch_id=2661213]. When 'esize' is maliciously large, the pointer 'e2' computed via Add2Ptr(e1, esize) exceeds the used buffer region, causing PtrOffset(e2, Add2Ptr(hdr, used)) to produce a negative value that is cast to a huge unsigned size_t for memmove, resulting in a slab-out-of-bounds read/write on the heap.
Affected code
The vulnerable code is in the 'DeleteIndexEntryRoot' case of the 'do_action' function in fs/ntfs3/fslog.c. The entry size 'esize' is read via le16_to_cpu(e1->size) and used to compute 'e2 = Add2Ptr(e1, esize)' before a memmove operation, without checking that 'esize' fits within the used buffer region [patch_id=2661213].
What the fix does
The patch adds a single bounds check before the memmove: if (PtrOffset(e1, Add2Ptr(hdr, used)) < esize) goto dirty_vol; [patch_id=2661213]. This verifies that the entry size ('esize') does not exceed the remaining used space in the index header. If the check fails, the code jumps to the 'dirty_vol' error path instead of performing the out-of-bounds memory operation, closing the vulnerability.
Preconditions
- inputThe attacker must be able to supply or influence a crafted NTFS log file (journal) that is replayed by the kernel's ntfs3 driver.
- configThe system must have the ntfs3 filesystem driver loaded and be processing a maliciously crafted NTFS volume or log record.
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- git.kernel.org/stable/c/36c03f7f177b34d51f1cf1d2304b1074607bf4b0nvd
- git.kernel.org/stable/c/78942172d5bff4d4afed8674abc09cc560ce44a0nvd
- git.kernel.org/stable/c/a584b9d1059b29e97e17c919274e9adfb846f2a0nvd
- git.kernel.org/stable/c/b271c9cb85927210b1b799e55ee7f702d12b4336nvd
- git.kernel.org/stable/c/b2bc7c44ed1779fc9eaab9a186db0f0d01439622nvd
- git.kernel.org/stable/c/c065541b71b79874c83d418a9acd18ad5826339bnvd
- git.kernel.org/stable/c/f3b437a4c3e022a1449658ae9f3dd34859894513nvd
News mentions
0No linked articles in our index yet.