{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-71267", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-17T09:08:18.457Z", "datePublished": "2026-03-18T10:05:04.008Z", "dateUpdated": "2026-05-11T21:57:05.561Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T21:57:05.561Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: ntfs3: fix infinite loop triggered by zero-sized ATTR_LIST\n\nWe found an infinite loop bug in the ntfs3 file system that can lead to a\nDenial-of-Service (DoS) condition.\n\nA malformed NTFS image can cause an infinite loop when an ATTR_LIST attribute\nindicates a zero data size while the driver allocates memory for it.\n\nWhen ntfs_load_attr_list() processes a resident ATTR_LIST with data_size set\nto zero, it still allocates memory because of al_aligned(0). This creates an\ninconsistent state where ni->attr_list.size is zero, but ni->attr_list.le is\nnon-null. This causes ni_enum_attr_ex to incorrectly assume that no attribute\nlist exists and enumerates only the primary MFT record. When it finds\nATTR_LIST, the code reloads it and restarts the enumeration, repeating\nindefinitely. The mount operation never completes, hanging the kernel thread.\n\nThis patch adds validation to ensure that data_size is non-zero before memory\nallocation. When a zero-sized ATTR_LIST is detected, the function returns\n-EINVAL, preventing a DoS vulnerability."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/ntfs3/attrlist.c"], "versions": [{"version": "be71b5cba2e6485e8959da7a9f9a44461a1bb074", "lessThan": "9267d99fade76d44d4a133599524031fe684156e", "status": "affected", "versionType": "git"}, {"version": "be71b5cba2e6485e8959da7a9f9a44461a1bb074", "lessThan": "976e6a7c51fabf150478decbe8ef5d9a26039b7c", "status": "affected", "versionType": "git"}, {"version": "be71b5cba2e6485e8959da7a9f9a44461a1bb074", "lessThan": "8d8c70b57dbeda3eb165c0940b97e85373ca9354", "status": "affected", "versionType": "git"}, {"version": "be71b5cba2e6485e8959da7a9f9a44461a1bb074", "lessThan": "7ef219656febf5ae06ae56b1fce47ebd05f92b68", "status": "affected", "versionType": "git"}, {"version": "be71b5cba2e6485e8959da7a9f9a44461a1bb074", "lessThan": "9779a6eaaabdf47aa57910d352b398ad742e6a5f", "status": "affected", "versionType": "git"}, {"version": "be71b5cba2e6485e8959da7a9f9a44461a1bb074", "lessThan": "fd508939dbca5eceefb2d0c2564beb15469572f2", "status": "affected", "versionType": "git"}, {"version": "be71b5cba2e6485e8959da7a9f9a44461a1bb074", "lessThan": "06909b2549d631a47fcda249d34be26f7ca1711d", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/ntfs3/attrlist.c"], "versions": [{"version": "5.15", "status": "affected"}, {"version": "0", "lessThan": "5.15", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.202", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.165", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.128", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.75", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.16", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.6", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "5.15.202"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.1.165"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.6.128"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.12.75"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.18.16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.19.6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/9267d99fade76d44d4a133599524031fe684156e"}, {"url": "https://git.kernel.org/stable/c/976e6a7c51fabf150478decbe8ef5d9a26039b7c"}, {"url": "https://git.kernel.org/stable/c/8d8c70b57dbeda3eb165c0940b97e85373ca9354"}, {"url": "https://git.kernel.org/stable/c/7ef219656febf5ae06ae56b1fce47ebd05f92b68"}, {"url": "https://git.kernel.org/stable/c/9779a6eaaabdf47aa57910d352b398ad742e6a5f"}, {"url": "https://git.kernel.org/stable/c/fd508939dbca5eceefb2d0c2564beb15469572f2"}, {"url": "https://git.kernel.org/stable/c/06909b2549d631a47fcda249d34be26f7ca1711d"}], "title": "fs: ntfs3: fix infinite loop triggered by zero-sized ATTR_LIST", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: ntfs3: fix infinite loop triggered by zero-sized ATTR_LIST\n\nWe found an infinite loop bug in the ntfs3 file system that can lead to a\nDenial-of-Service (DoS) condition.\n\nA malformed NTFS image can cause an infinite loop when an ATTR_LIST attribute\nindicates a zero data size while the driver allocates memory for it.\n\nWhen ntfs_load_attr_list() processes a resident ATTR_LIST with data_size set\nto zero, it still allocates memory because of al_aligned(0). This creates an\ninconsistent state where ni->attr_list.size is zero, but ni->attr_list.le is\nnon-null. This causes ni_enum_attr_ex to incorrectly assume that no attribute\nlist exists and enumerates only the primary MFT record. When it finds\nATTR_LIST, the code reloads it and restarts the enumeration, repeating\nindefinitely. The mount operation never completes, hanging the kernel thread.\n\nThis patch adds validation to ensure that data_size is non-zero before memory\nallocation. When a zero-sized ATTR_LIST is detected, the function returns\n-EINVAL, preventing a DoS vulnerability."}], "id": "CVE-2025-71267", "lastModified": "2026-03-18T14:52:44.227", "metrics": {}, "published": "2026-03-18T11:16:15.720", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/06909b2549d631a47fcda249d34be26f7ca1711d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/7ef219656febf5ae06ae56b1fce47ebd05f92b68"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/8d8c70b57dbeda3eb165c0940b97e85373ca9354"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9267d99fade76d44d4a133599524031fe684156e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/976e6a7c51fabf150478decbe8ef5d9a26039b7c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9779a6eaaabdf47aa57910d352b398ad742e6a5f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/fd508939dbca5eceefb2d0c2564beb15469572f2"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: fs: ntfs3: fix infinite loop triggered by zero-sized ATTR_LIST", "id": "2448599", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448599"}, "csaw": false, "details": ["No description is available for this CVE."], "name": "CVE-2025-71267", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-71267\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-71267\nhttps://lore.kernel.org/linux-cve-announce/2026031816-CVE-2025-71267-2a56@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,9267d99fade76d44d4a133599524031fe684156e)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,976e6a7c51fabf150478decbe8ef5d9a26039b7c)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,8d8c70b57dbeda3eb165c0940b97e85373ca9354)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,7ef219656febf5ae06ae56b1fce47ebd05f92b68)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,9779a6eaaabdf47aa57910d352b398ad742e6a5f)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,fd508939dbca5eceefb2d0c2564beb15469572f2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,06909b2549d631a47fcda249d34be26f7ca1711d)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[5.15.202,5.16.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.165,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.128,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.75,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.16,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.6,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0-rc1,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-03-27T23:21:06.337561+00:00", "value": {"mitigation_remediation": ["Upgrade the kernel to a version that includes the ntfs3 fix patch", "If a kernel upgrade cannot be applied immediately, avoid mounting NTFS volumes that could contain untrusted data until the patch is deployed", "If the vulnerability is triggered, terminate the hung mount process or reboot the system to clear the blocked kernel thread", "Monitor system logs for repeated mount failures or kernel hangs that may indicate exploitation attempts"], "summary": {"action": "Apply Patch", "impact": "Denial of Service via infinite loop in ntfs3 filesystem"}, "threat_synthesis": {"affected_systems": "Any system running a Linux kernel that includes the ntfs3 driver and mounts NTFS volumes is vulnerable. Because the advisory does not list specific kernel versions, all releases before the patch that contain the unmodified ntfs3 code are considered affected. This includes desktop, server, and embedded Linux environments that might automatically mount removable storage devices.", "description_and_impact": "An infinite loop bug exists in the Linux kernel\u2019s ntfs3 filesystem driver. When a malformed NTFS image contains an ATTR_LIST attribute with zero data size, the driver attempts to allocate memory for it, discovers an inconsistent state, and repeatedly reloads and re\u2011enumerates the attribute list. This causes the mount operation to hang indefinitely, effectively denying service to the affected volume.", "risk_and_exploitability": "The exploit probability (EPSS) is below 1% and the vulnerability is not present in CISA\u2019s KEV catalog, indicating a low likelihood of exploitation. The attack vector is inferred to involve an attacker presenting a crafted NTFS image to a system that mounts it, which then triggers the infinite loop and hangs the kernel thread. The impact is limited to denial of service; there is no evidence of privilege escalation or data compromise."}}}}, "created": "2026-03-19T08:56:48.149527+00:00", "updated": "2026-03-29T20:29:07.975415+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"], "weaknesses": ["CWE-20", "CWE-666"]}