CVE-2026-46062 PUBLISHED

ntfs3: fix integer overflow in run_unpack() volume boundary check

Assigner: Linux
Reserved: 13.05.2026 Published: 27.05.2026 Updated: 27.05.2026

In the Linux kernel, the following vulnerability has been resolved:

ntfs3: fix integer overflow in run_unpack() volume boundary check

The volume boundary check lcn + len > sbi->used.bitmap.nbits uses raw addition which can wrap around for large lcn and len values, bypassing the validation. Use check_add_overflow() as is already done for the adjacent prev_lcn + dlcn and vcn64 + len checks added by commit 3ac37e100385 ("ntfs3: Fix integer overflow in run_unpack()").

Found by fuzzing with a source-patched harness (LibAFL + QEMU).

Product Status

Vendor Linux
Product Linux
Versions Default: unaffected
  • affected from 82cae269cfa953032fbb8980a7d554d60fb00b17 to a954061b334ec67c79ae9d0cadd83fa521396487 (excl.)
  • affected from 82cae269cfa953032fbb8980a7d554d60fb00b17 to 60dab3e2931f3d792438a77a6cb0cb731c43300b (excl.)
  • affected from 82cae269cfa953032fbb8980a7d554d60fb00b17 to f1af27cec07a9fd0847166bdb23c99e86b05bfdc (excl.)
  • affected from 82cae269cfa953032fbb8980a7d554d60fb00b17 to 6175d09c23bec4b60860ee9a0170308ff4b56e10 (excl.)
  • affected from 82cae269cfa953032fbb8980a7d554d60fb00b17 to 984a415f019536ea2d24de9010744e5302a9a948 (excl.)
Vendor Linux
Product Linux
Versions Default: affected
  • Version 5.15 is affected
  • unaffected from 0 to 5.15 (excl.)
  • unaffected from 6.6.140 to 6.6.* (incl.)
  • unaffected from 6.12.86 to 6.12.* (incl.)
  • unaffected from 6.18.27 to 6.18.* (incl.)
  • unaffected from 7.0.4 to 7.0.* (incl.)
  • unaffected from 7.1-rc1 to * (incl.)

References