CVE-2025-71309 Linux CVE debrief

Who should care

System administrators running Linux systems with NTFS3-mounted volumes, particularly those accessing compressed NTFS files; kernel maintainers and security teams tracking filesystem driver vulnerabilities; organizations using Linux for NTFS data recovery or interoperability scenarios

Technical summary

The NTFS3 filesystem driver in the Linux kernel contained a lock inversion vulnerability in the compressed folio read implementation. The function ni_read_folio_cmpr (formerly ni_readpage_cmpr) could deadlock when one task held the inode mutex (ni_lock) while waiting for page locks, and another task held those page locks while waiting for ni_lock. The vulnerability was triggered by concurrent read operations on compressed NTFS files. The fix restructures the locking to acquire all required page locks for the compressed frame before taking ni_lock, ensuring consistent Page Lock -> ni_lock ordering that matches VFS conventions. This prevents the circular wait condition that caused task hangs.

Defensive priority

medium

Recommended defensive actions

• Apply kernel updates containing the referenced commits when available from your Linux distribution
• Monitor vendor security advisories for kernel package updates addressing this issue
• Review systems using NTFS3-mounted volumes for unexpected task hangs or I/O stalls
• Consider temporary mitigation by avoiding concurrent heavy read operations on compressed NTFS files if kernel updates are not immediately available

Evidence notes

The vulnerability description is sourced from the official CVE record and NVD entry. The fix involves kernel-level locking changes in the NTFS3 driver. No CVSS score or severity has been assigned as of the CVE publication date. The vulnerability was discovered through Syzbot automated testing.

Official resources