CVE-2026-46072 PUBLISHED

ntfs3: add buffer boundary checks to run_unpack()

Assigner: Linux
Reserved: 13.05.2026 Published: 27.05.2026 Updated: 27.05.2026

In the Linux kernel, the following vulnerability has been resolved:

ntfs3: add buffer boundary checks to run_unpack()

run_unpack() checks run_buf < run_last at the top of the while loop but then reads size_size and offset_size bytes via run_unpack_s64() without verifying they fit within the remaining buffer. A crafted NTFS image with truncated run data in an MFT attribute triggers an OOB heap read of up to 15 bytes when the filesystem is mounted.

Add boundary checks before each run_unpack_s64() call to ensure the declared field size does not exceed the remaining buffer.

Found by fuzzing with a source-patched harness (LibAFL + QEMU).

Product Status

Vendor Linux
Product Linux
Versions Default: unaffected
  • affected from 82cae269cfa953032fbb8980a7d554d60fb00b17 to bf7ac4a1d3bfc6e56e54635c3d331a68170d37c9 (excl.)
  • affected from 82cae269cfa953032fbb8980a7d554d60fb00b17 to e64f7dfcaff79e7dfff9121a382dd77f9b462f62 (excl.)
  • affected from 82cae269cfa953032fbb8980a7d554d60fb00b17 to d3012690a7065d9ca86521a525ad11e8af491d45 (excl.)
  • affected from 82cae269cfa953032fbb8980a7d554d60fb00b17 to 41aadf5cb482793a24e05aa136224e179a778586 (excl.)
  • affected from 82cae269cfa953032fbb8980a7d554d60fb00b17 to b62567bca47408e6739dee75f02a2113548af875 (excl.)
Vendor Linux
Product Linux
Versions Default: affected
  • Version 5.15 is affected
  • unaffected from 0 to 5.15 (excl.)
  • unaffected from 6.6.140 to 6.6.* (incl.)
  • unaffected from 6.12.86 to 6.12.* (incl.)
  • unaffected from 6.18.27 to 6.18.* (incl.)
  • unaffected from 7.0.4 to 7.0.* (incl.)
  • unaffected from 7.1-rc1 to * (incl.)

References