{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-71266", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-17T09:08:18.457Z", "datePublished": "2026-03-18T10:05:02.997Z", "dateUpdated": "2026-04-13T06:02:32.286Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-13T06:02:32.286Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: ntfs3: check return value of indx_find to avoid infinite loop\n\nWe found an infinite loop bug in the ntfs3 file system that can lead to a\nDenial-of-Service (DoS) condition.\n\nA malformed dentry in the ntfs3 filesystem can cause the kernel to hang\nduring the lookup operations. By setting the HAS_SUB_NODE flag in an\nINDEX_ENTRY within a directory's INDEX_ALLOCATION block and manipulating the\nVCN pointer, an attacker can cause the indx_find() function to repeatedly\nread the same block, allocating 4 KB of memory each time. The kernel lacks\nVCN loop detection and depth limits, causing memory exhaustion and an OOM\ncrash.\n\nThis patch adds a return value check for fnd_push() to prevent a memory\nexhaustion vulnerability caused by infinite loops. When the index exceeds the\nsize of the fnd->nodes array, fnd_push() returns -EINVAL. The indx_find()\nfunction checks this return value and stops processing, preventing further\nmemory allocation."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/ntfs3/index.c"], "versions": [{"version": "82cae269cfa953032fbb8980a7d554d60fb00b17", "lessThan": "14c3188afbedfd5178bbabb8002487ea14b37b56", "status": "affected", "versionType": "git"}, {"version": "82cae269cfa953032fbb8980a7d554d60fb00b17", "lessThan": "435d34719db0e130f6f0c621d67ed524cc1a7d10", "status": "affected", "versionType": "git"}, {"version": "82cae269cfa953032fbb8980a7d554d60fb00b17", "lessThan": "68e32694be231c1cdb99b7637a657314e88e1a96", "status": "affected", "versionType": "git"}, {"version": "82cae269cfa953032fbb8980a7d554d60fb00b17", "lessThan": "398e768d1accd1f5645492ab996005d7aa84a5b0", "status": "affected", "versionType": "git"}, {"version": "82cae269cfa953032fbb8980a7d554d60fb00b17", "lessThan": "b0ea441f44ce64fa514a415d4a9e6e2b06e7946c", "status": "affected", "versionType": "git"}, {"version": "82cae269cfa953032fbb8980a7d554d60fb00b17", "lessThan": "0ad7a1be44479503dbe5c699759861ef5b8bd70c", "status": "affected", "versionType": "git"}, {"version": "82cae269cfa953032fbb8980a7d554d60fb00b17", "lessThan": "1732053c8a6b360e2d5afb1b34fe9779398b072c", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/ntfs3/index.c"], "versions": [{"version": "5.15", "status": "affected"}, {"version": "0", "lessThan": "5.15", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.202", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.165", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.128", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.75", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.16", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.6", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "5.15.202"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.1.165"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.6.128"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.12.75"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.18.16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.19.6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/14c3188afbedfd5178bbabb8002487ea14b37b56"}, {"url": "https://git.kernel.org/stable/c/435d34719db0e130f6f0c621d67ed524cc1a7d10"}, {"url": "https://git.kernel.org/stable/c/68e32694be231c1cdb99b7637a657314e88e1a96"}, {"url": "https://git.kernel.org/stable/c/398e768d1accd1f5645492ab996005d7aa84a5b0"}, {"url": "https://git.kernel.org/stable/c/b0ea441f44ce64fa514a415d4a9e6e2b06e7946c"}, {"url": "https://git.kernel.org/stable/c/0ad7a1be44479503dbe5c699759861ef5b8bd70c"}, {"url": "https://git.kernel.org/stable/c/1732053c8a6b360e2d5afb1b34fe9779398b072c"}], "title": "fs: ntfs3: check return value of indx_find to avoid infinite loop", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: ntfs3: check return value of indx_find to avoid infinite loop\n\nWe found an infinite loop bug in the ntfs3 file system that can lead to a\nDenial-of-Service (DoS) condition.\n\nA malformed dentry in the ntfs3 filesystem can cause the kernel to hang\nduring the lookup operations. By setting the HAS_SUB_NODE flag in an\nINDEX_ENTRY within a directory's INDEX_ALLOCATION block and manipulating the\nVCN pointer, an attacker can cause the indx_find() function to repeatedly\nread the same block, allocating 4 KB of memory each time. The kernel lacks\nVCN loop detection and depth limits, causing memory exhaustion and an OOM\ncrash.\n\nThis patch adds a return value check for fnd_push() to prevent a memory\nexhaustion vulnerability caused by infinite loops. When the index exceeds the\nsize of the fnd->nodes array, fnd_push() returns -EINVAL. The indx_find()\nfunction checks this return value and stops processing, preventing further\nmemory allocation."}], "id": "CVE-2025-71266", "lastModified": "2026-03-18T14:52:44.227", "metrics": {}, "published": "2026-03-18T11:16:15.560", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0ad7a1be44479503dbe5c699759861ef5b8bd70c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/14c3188afbedfd5178bbabb8002487ea14b37b56"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1732053c8a6b360e2d5afb1b34fe9779398b072c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/398e768d1accd1f5645492ab996005d7aa84a5b0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/435d34719db0e130f6f0c621d67ed524cc1a7d10"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/68e32694be231c1cdb99b7637a657314e88e1a96"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b0ea441f44ce64fa514a415d4a9e6e2b06e7946c"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: fs: ntfs3: check return value of indx_find to avoid infinite loop", "id": "2448597", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448597"}, "csaw": false, "details": ["No description is available for this CVE."], "name": "CVE-2025-71266", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-71266\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-71266\nhttps://lore.kernel.org/linux-cve-announce/2026031816-CVE-2025-71266-d35d@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,14c3188afbedfd5178bbabb8002487ea14b37b56)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,435d34719db0e130f6f0c621d67ed524cc1a7d10)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,68e32694be231c1cdb99b7637a657314e88e1a96)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,398e768d1accd1f5645492ab996005d7aa84a5b0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,b0ea441f44ce64fa514a415d4a9e6e2b06e7946c)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,0ad7a1be44479503dbe5c699759861ef5b8bd70c)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,1732053c8a6b360e2d5afb1b34fe9779398b072c)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[5.15.202,5.16.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.165,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.128,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.75,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.16,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.6,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0-rc1,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-03-18T11:22:12.992376+00:00", "value": {"mitigation_remediation": ["Apply the kernel patch that implements the fnd_push() return value check; obtain a kernel update that includes the referenced patch commit.", "Avoid mounting NTFS3 file systems that originate from untrusted or unknown sources until the kernel is updated.", "If an update is not immediately possible, restrict access to the device so that only trusted users can mount it.", "Check vendor or distribution security advisories for updates or additional mitigations."], "summary": {"action": "Apply Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "All Linux systems that use the Linux kernel and are capable of mounting NTFS3 file systems are affected. No specific kernel versions are listed in the CNA data, so any kernel that contains the unpatched ntfs3 driver is potentially vulnerable. Users should verify whether their kernel contains the patch by checking the commit referenced in the CVE description or the kernel release notes.", "description_and_impact": "The vulnerability is an infinite loop in the ntfs3 filesystem driver of the Linux kernel. A maliciously crafted dentry can set the HAS_SUB_NODE flag and manipulate the VCN pointer in an INDEX_ENTRY so that the indx_find() routine repeatedly reads the same block. Each iteration allocates an additional 4 KB of memory without any loop detection or depth limits, exhausting kernel memory and triggering an OOM kill. The problem is mitigated by checking the return value of fnd_push() so that when the index exceeds the fnd->nodes array, the function returns -EINVAL and the loop is terminated. This prevents the memory exhaustion and kernel crash that would otherwise result.", "risk_and_exploitability": "The CVSS score is not provided, and the EPSS score is unavailable. The vulnerability is not listed in the CISA KEV catalog. The attack vector is local: an attacker must be able to provide a malformed NTFS file system, either by creating a malicious volume or by compromising a system that mounts an untrusted volume. Once the malicious ATA volume is mounted, the kernel will hang during lookup operations, leading to a denial-of-service condition. The exploit requires file system manipulation and no network or web interface; therefore the risk is high for systems that mount untrusted NTFS volumes or run with insufficient isolation."}}}}, "created": "2026-03-18T12:12:47.842127+00:00", "updated": "2026-03-24T10:59:01.159255+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}