CVE-2026-45935 Linux CVE debrief

Who should care

Linux system administrators managing NTFS filesystem mounts, security teams tracking kernel filesystem driver vulnerabilities, and organizations with mixed Windows/Linux environments using native NTFS3 driver support

Technical summary

The vulnerability resides in `fs/ntfs3` within the `DeleteIndexEntryRoot` handling path of the `do_action` function. The code retrieves `esize` (entry size) from NTFS log records without validating against the actual buffer bounds. The pointer arithmetic `e2 = Add2Ptr(e1, esize)` followed by `PtrOffset(e2, ...)` creates a signed-to-unsigned conversion vulnerability: when `esize` exceeds available space, the negative `PtrOffset` result becomes a very large `size_t` value passed to `memmove`, causing heap buffer overflow. The fix implements explicit bounds verification ensuring `esize` ≤ remaining index header space before pointer arithmetic operations.

Defensive priority

high

Recommended defensive actions

• Apply kernel updates containing the referenced stable branch commits when available through distribution security channels
• Restrict untrusted user access to NTFS filesystem mount operations until patching is complete
• Monitor system logs for unexpected NTFS driver errors or kernel oops messages that may indicate exploitation attempts
• Verify NTFS filesystem images from untrusted sources before mounting on unpatched systems

Evidence notes

Vulnerability description sourced from official CVE record and NVD entry published 2026-05-27. Patch commits referenced in source metadata confirm fix implementation across stable kernel branches. No KEV listing or known exploitation in the wild as of disclosure date.

Official resources