CVE-2025-71265 Overview
CVE-2025-71265 is a Denial of Service (DoS) vulnerability in the Linux kernel's NTFS3 file system driver. The vulnerability exists in the attr_load_runs_range() function, where inconsistent metadata in a malformed NTFS image can trigger an infinite loop, causing system resources to be exhausted and resulting in a denial of service condition.
The flaw occurs when an attribute header indicates an empty run list (with evcn=-1 and svcn=0) while directory entries reference it as containing actual data. This metadata inconsistency causes the run_lookup_entry() function to fail repeatedly, and because clen is set to 0, the loop increments vcn by zero (vcn += 0), creating an infinite loop that cannot exit.
Critical Impact
A maliciously crafted NTFS image can cause kernel-level infinite loops, leading to complete system unresponsiveness and denial of service conditions on Linux systems with NTFS3 file system support enabled.
Affected Products
- Linux Kernel with NTFS3 file system driver enabled
- Systems mounting untrusted NTFS volumes
- Linux distributions with NTFS3 kernel module loaded
Discovery Timeline
- 2026-03-18 - CVE CVE-2025-71265 published to NVD
- 2026-03-18 - Last updated in NVD database
Technical Details for CVE-2025-71265
Vulnerability Analysis
This infinite loop vulnerability resides in the NTFS3 file system implementation within the Linux kernel. The root cause involves a metadata consistency issue between attribute headers and run list data structures.
In NTFS file systems, setting evcn=-1 with svcn=0 is a legitimate representation of an empty run list. The run_unpack() function correctly handles this by checking if evcn + 1 equals svcn and returning early without parsing any run data. However, this creates a problematic edge case when metadata is inconsistent.
When the attribute header claims to be empty but the caller expects to read actual data, run_unpack() returns success immediately, leaving the runs_tree uninitialized with run->runs as NULL. The calling function attr_load_runs_range() interprets this successful return as confirmation that runs were loaded and sets clen to 0.
Root Cause
The vulnerability stems from insufficient validation of metadata consistency between attribute headers and their referenced run lists. Specifically:
- The run_unpack() function returns success when encountering an empty run list indicator (evcn=-1, svcn=0)
- This leaves the runs_tree data structure uninitialized with a NULL run->runs pointer
- The attr_load_runs_range() function assumes successful return means valid data was loaded
- When run_lookup_entry() fails on the uninitialized structure, clen is set to 0
- The subsequent vcn += clen operation increments by zero, causing an infinite loop
Attack Vector
An attacker can exploit this vulnerability by crafting a malicious NTFS image file with inconsistent metadata. The attack requires local access to mount the malformed file system or the ability to trick a user into mounting an untrusted NTFS volume. When a system attempts to read directory entries from the corrupted NTFS image, the infinite loop is triggered.
The attack could be delivered through:
- Malicious USB drives containing crafted NTFS partitions
- Downloaded NTFS disk images
- Network-mounted NTFS volumes from untrusted sources
- Virtual machine disk files with NTFS partitions
The exploitation mechanism involves the following flow: A crafted NTFS image contains an attribute header indicating an empty run list (evcn=-1, svcn=0) while directory entries reference it as containing actual data. When the kernel attempts to resolve this reference, the attr_load_runs_range() function enters an infinite loop due to the metadata inconsistency. For detailed technical information, see the kernel git commits in the external references.
Detection Methods for CVE-2025-71265
Indicators of Compromise
- Unexplained system hangs or unresponsiveness when mounting NTFS volumes
- High CPU utilization on a single core with kernel stack traces pointing to NTFS3 functions
- System logs showing repeated NTFS3 driver activity without completion
- Kernel panic or watchdog timeouts related to NTFS3 operations
Detection Strategies
- Monitor for attr_load_runs_range and run_lookup_entry function calls in kernel debug logs
- Implement file system integrity checking before mounting untrusted NTFS volumes
- Use runtime kernel monitoring tools to detect infinite loops in file system drivers
- Enable kernel function tracing (ftrace) for NTFS3 subsystem operations
Monitoring Recommendations
- Configure system monitoring to alert on sustained 100% CPU usage by kernel threads
- Implement watchdog timers to detect and recover from kernel hangs
- Log all NTFS volume mount operations, especially from removable media
- Monitor kernel log messages for NTFS3 driver warnings or errors
How to Mitigate CVE-2025-71265
Immediate Actions Required
- Update the Linux kernel to a patched version containing the fix
- Restrict NTFS3 file system mounting to trusted volumes only
- Disable automatic mounting of removable media with NTFS file systems
- Consider temporarily blacklisting the ntfs3 kernel module if not required
Patch Information
The Linux kernel maintainers have released patches that add a retry counter to detect when run_lookup_entry() fails consecutively after attr_load_runs_vcn(). If the run is still not found on the second attempt, the function returns -EINVAL, indicating corrupted metadata and preventing the infinite loop condition.
The following kernel git commits contain the fix:
Workarounds
- Blacklist the NTFS3 kernel module by adding blacklist ntfs3 to /etc/modprobe.d/blacklist.conf
- Use the FUSE-based ntfs-3g driver as an alternative until the kernel is updated
- Implement mount restrictions using /etc/fstab or mount policies to prevent untrusted NTFS volumes
- Enable SELinux or AppArmor policies to restrict NTFS mounting capabilities
# Configuration example
# Blacklist NTFS3 kernel module to prevent loading
echo "blacklist ntfs3" >> /etc/modprobe.d/blacklist-ntfs3.conf
# Unload the module if currently loaded
modprobe -r ntfs3
# Update initramfs to persist the change
update-initramfs -u
# Verify module is not loaded
lsmod | grep ntfs3
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
