PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46072 Linux CVE debrief

A vulnerability in the Linux kernel's NTFS3 filesystem driver allows out-of-bounds heap reads when mounting crafted NTFS images. The `run_unpack()` function in the NTFS3 driver performs insufficient buffer boundary validation before reading run data from MFT attributes. Specifically, while the function checks `run_buf < run_last` at the loop start, it subsequently calls `run_unpack_s64()` to read `size_size` and `offset_size` bytes without verifying adequate remaining buffer space. A malformed NTFS image with truncated run data can trigger heap memory reads up to 15 bytes beyond allocated boundaries during filesystem mount operations. The vulnerability was identified through fuzzing using LibAFL with QEMU. The fix introduces explicit boundary checks before each `run_unpack_s64()` invocation to ensure declared field sizes do not exceed available buffer space. Multiple stable kernel branches have received patches. No CISA KEV listing or known ransomware campaign association exists.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Linux system administrators, kernel maintainers, security teams in environments where NTFS filesystem mounting is permitted, and organizations with bring-your-own-device policies that may encounter untrusted removable storage

Technical summary

The NTFS3 driver's `run_unpack()` function parses run data from MFT (Master File Table) attributes to map file extents on disk. The function uses a while loop with a basic pointer comparison (`run_buf < run_last`) but fails to validate that sufficient bytes remain for the variable-length size and offset fields it subsequently reads via `run_unpack_s64()`. The size and offset fields can each be up to 8 bytes, allowing a maximum over-read of 15 bytes when the buffer is truncated. This occurs during filesystem mount, making it a local attack vector requiring a maliciously crafted NTFS image. The vulnerability is heap-based rather than stack-based. The fix adds explicit length checks: `if (run_buf + size_size > run_last) return -EINVAL;` and equivalent for offset_size before each unpack operation.

Defensive priority

medium

Recommended defensive actions

  • Apply kernel updates from stable branches once patches are available for your distribution
  • Restrict mounting of untrusted NTFS filesystem images
  • Consider disabling NTFS3 driver auto-mount for removable media
  • Monitor kernel security advisories for stable branch backports

Evidence notes

Vulnerability description confirms OOB heap read of up to 15 bytes in NTFS3 driver during mount operations. Five kernel.org stable branch commits provided as references. No CVSS score assigned; NVD status 'Awaiting Analysis'. Vendor identification marked low confidence requiring review.

Official resources

2026-05-27