PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-71266 Linux CVE debrief

CVE-2025-71266 is a Linux kernel ntfs3 vulnerability in directory lookup handling. A malformed dentry can drive indx_find() into a repeated loop over the same index block, and the missing return-value check on fnd_push() allows processing to continue when the node stack is exceeded. The result is repeated 4 KB allocations, memory exhaustion, and a local denial of service, including a hang or OOM crash. NVD classifies the issue as CVSS 5.5/Medium with low-privilege, local attack requirements and high availability impact.

Vendor
Linux
Product
Unknown
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-18
Original CVE updated
2026-05-21
Advisory published
2026-03-18
Advisory updated
2026-05-21

Who should care

Linux kernel and distro maintainers, operations teams, and system owners who run ntfs3 or mount untrusted NTFS volumes. It is especially relevant anywhere kernel availability matters and local users or mounted media can influence filesystem lookups.

Technical summary

NVD lists this as CWE-835 (infinite loop) affecting the Linux kernel ntfs3 filesystem. The issue is triggered during lookup operations on malformed directory data in INDEX_ALLOCATION blocks. The published fix is to check the return value of fnd_push() inside indx_find(); when the node array limit is reached, fnd_push() returns -EINVAL and indx_find() stops instead of continuing to allocate memory. NVD's affected-version ranges include: 5.15.1 through before 5.15.202; 5.16 through before 6.1.165; 6.2 through before 6.6.128; 6.7 through before 6.12.75; 6.13 through before 6.18.16; and 6.19 through before 6.19.6. The CVSS vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.

Defensive priority

Medium

Recommended defensive actions

  • Apply the Linux kernel updates that contain the ntfs3 fix, or install your vendor's backported security update for the affected branch.
  • Verify whether your systems use ntfs3 and prioritize patching those hosts if they mount untrusted NTFS media or depend on NTFS access.
  • Track distro advisories for the affected kernel branches listed by NVD and confirm the fix is present in your shipped kernel build.
  • If you cannot patch immediately, reduce exposure to untrusted NTFS content until an updated kernel is deployed.
  • Validate remediation by confirming the patched kernel includes the stable backport commit references linked in NVD.

Evidence notes

All substantive claims are supported by the supplied CVE/NVD record and the linked Linux kernel stable patch references. The CVE description states the failure to check fnd_push() in indx_find() causes an infinite-loop DoS and memory exhaustion. NVD provides the CVSS vector, CWE-835 mapping, and affected-version ranges. The kernel.org stable references indicate the existence of vendor upstream/stable patches for remediation.

Official resources

Publicly disclosed in the CVE/NVD record on 2026-03-18. The NVD record was last modified on 2026-05-21. No KEV listing was provided in the supplied data.