CVE-2026-46062 Linux CVE debrief

Who should care

Linux system administrators, kernel maintainers, and security teams managing systems that mount NTFS filesystems, particularly those handling untrusted or externally sourced NTFS volumes. Organizations with embedded Linux devices using ntfs3 should prioritize patching.

Technical summary

The ntfs3 filesystem driver in the Linux kernel contained an integer overflow vulnerability in the `run_unpack()` function. The volume boundary validation check used raw addition (`lcn + len > sbi->used.bitmap.nbits`) which could wrap around when processing NTFS runlists with large logical cluster number (lcn) and length (len) values. This wrap-around would cause the boundary check to incorrectly pass, potentially allowing out-of-bounds access. The resolution replaces the raw addition with `check_add_overflow()`, matching the defensive pattern already implemented for adjacent checks in the same function (prev_lcn + dlcn and vcn64 + len) from commit 3ac37e100385. Patches have been applied to multiple stable kernel branches.

Defensive priority

medium

Recommended defensive actions

• Apply kernel updates from your Linux distribution when available for CVE-2026-46062
• Verify ntfs3 module is not loaded on systems that do not require NTFS filesystem support
• Monitor kernel stable branch announcements for backported fixes
• Review systems that mount untrusted NTFS filesystems as higher priority for patching

Evidence notes

The vulnerability description indicates this was found through fuzzing with a source-patched harness (LibAFL + QEMU), suggesting active security research but no evidence of in-the-wild exploitation. The fix applies established overflow checking patterns already present in the same function.

Official resources