PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-71265 Linux CVE debrief

CVE-2025-71265 is a Linux kernel ntfs3 flaw that can lead to a denial of service when malformed NTFS metadata is encountered. According to the NVD record, the issue is a local vulnerability with low attack complexity and low privileges required, and it affects multiple Linux kernel release branches. The kernel fix referenced by NVD prevents attr_load_runs_range() from spinning forever when run_lookup_entry() repeatedly fails after an inconsistent empty-run-list condition.

Vendor
Linux
Product
Unknown
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-18
Original CVE updated
2026-05-20
Advisory published
2026-03-18
Advisory updated
2026-05-20

Who should care

Linux kernel maintainers, distro security teams, fleet operators, and administrators who mount or process untrusted NTFS volumes or images should prioritize this issue. Environments that use ntfs3 and may encounter user-supplied or external NTFS media are the most relevant.

Technical summary

The supplied description says a malformed NTFS image can present inconsistent metadata: the attribute header can indicate an empty run list (evcn=-1 with svcn=0), while the caller expects actual data. run_unpack() correctly returns early for the empty-run-list case, but if the surrounding metadata is inconsistent, runs_tree remains uninitialized and attr_load_runs_range() can keep calling run_lookup_entry() without making progress. Because vcn is incremented by zero in that failure path, the loop does not terminate. The patch adds a retry counter and returns -EINVAL after repeated lookup failure, which stops the infinite loop and prevents the DoS condition.

Defensive priority

Medium. This is a local denial-of-service issue in a kernel filesystem path, so it does not indicate direct remote code execution, but it can still hang or degrade systems that process untrusted NTFS content.

Recommended defensive actions

  • Upgrade to a Linux kernel version that includes the ntfs3 fix or verify that your distribution has backported it.
  • Check whether your fleet is exposed to untrusted NTFS media, disk images, or removable storage and prioritize patching those systems.
  • Confirm remediation against the NVD-listed fixed branches and end versions: 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, and 6.19.6.
  • Track vendor advisories and kernel stable backports for your specific distro kernel rather than relying only on upstream version numbers.
  • If patching must be delayed, reduce exposure to untrusted NTFS content on systems that rely on ntfs3.

Evidence notes

Evidence is drawn from the supplied NVD record and its official references. NVD marks the vulnerability as Analyzed and classifies it with CVSS 3.1 vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, with CWE-835 listed as the primary weakness. NVD also lists affected Linux kernel ranges for 5.15, 5.16, 6.2, 6.7, 6.13, and 6.19 branches, each with an upper bound indicating the fixed release threshold. The supplied description explains the infinite-loop mechanism and the retry-counter mitigation. The official patch references from git.kernel.org are the primary remediation evidence.

Official resources

CVE published in the supplied NVD data on 2026-03-18 and last modified on 2026-05-20. NVD lists the vulnerability status as Analyzed. The debrief uses those supplied dates for timing context and does not infer discovery or fix timing beyond