CVE-2025-71266 Overview
CVE-2025-71266 is a Denial of Service (DoS) vulnerability discovered in the Linux kernel's NTFS3 filesystem driver. The vulnerability exists within the indx_find() function, which can enter an infinite loop when processing malformed directory entries. This flaw allows an attacker with access to a crafted NTFS filesystem to cause system resource exhaustion, leading to an Out-of-Memory (OOM) crash.
The vulnerability stems from insufficient validation of INDEX_ENTRY structures within NTFS directory INDEX_ALLOCATION blocks. By manipulating the HAS_SUB_NODE flag and VCN (Virtual Cluster Number) pointer within a malformed dentry, an attacker can force the kernel to repeatedly read the same block while allocating 4 KB of memory on each iteration.
Critical Impact
A malicious NTFS filesystem can cause kernel memory exhaustion and system denial of service through an infinite loop in the indx_find() function.
Affected Products
- Linux kernel with NTFS3 filesystem driver enabled
- Systems mounting untrusted NTFS volumes
- Linux distributions using vulnerable kernel versions
Discovery Timeline
- 2026-03-18 - CVE CVE-2025-71266 published to NVD
- 2026-03-18 - Last updated in NVD database
Technical Details for CVE-2025-71266
Vulnerability Analysis
The vulnerability resides in the NTFS3 filesystem driver's index lookup mechanism. When the kernel performs directory lookups on an NTFS volume, it uses the indx_find() function to traverse INDEX_ENTRY structures stored in INDEX_ALLOCATION blocks.
The root problem is that the NTFS3 driver lacks proper VCN loop detection and depth limits when traversing these index structures. An attacker can craft a malicious NTFS filesystem where an INDEX_ENTRY has the HAS_SUB_NODE flag set with a VCN pointer that points back to the same block or creates a circular reference. This causes the indx_find() function to enter an infinite loop, continuously allocating 4 KB of memory with each iteration.
As the loop continues indefinitely, system memory becomes exhausted, eventually triggering the kernel's OOM (Out-of-Memory) killer. This results in a complete denial of service condition that may require a system reboot to recover.
Root Cause
The root cause is the absence of return value checking for the fnd_push() function within indx_find(). The fnd_push() function is designed to track visited nodes during index traversal. When the index depth exceeds the size of the fnd->nodes array, fnd_push() returns -EINVAL to signal an error condition.
However, prior to the patch, the indx_find() function did not check this return value, allowing the traversal to continue even when the maximum depth was exceeded or when circular references were encountered. This oversight enabled the infinite loop condition and subsequent memory exhaustion.
Attack Vector
The attack requires local access or the ability to present a maliciously crafted NTFS filesystem to a vulnerable system. Attack scenarios include:
Physical Access: An attacker with physical access can insert a USB drive containing a malicious NTFS filesystem. When the system attempts to mount or enumerate the volume, the vulnerability is triggered.
Remote Exploitation via File Sharing: If the vulnerable system mounts NTFS volumes over a network (such as through CIFS/SMB shares on Windows systems), an attacker controlling the remote storage could present a malicious filesystem structure.
Container Escape Scenarios: In containerized environments where NTFS volumes are mounted from untrusted sources, this vulnerability could be used to crash the host kernel.
The attack leverages the following mechanism: A crafted NTFS filesystem contains a directory with an INDEX_ALLOCATION block where an INDEX_ENTRY has the HAS_SUB_NODE flag enabled. The VCN pointer in this entry is manipulated to reference the same block or create a circular reference chain. When the kernel performs any operation requiring directory lookup (such as listing files or path resolution), the indx_find() function enters an infinite loop, allocating memory until the system crashes.
Detection Methods for CVE-2025-71266
Indicators of Compromise
- Sudden kernel memory consumption increases when accessing NTFS volumes
- System hangs or unresponsiveness during NTFS directory operations
- OOM killer activation logs in /var/log/kern.log or dmesg output associated with NTFS3 operations
- Process context showing indx_find or ntfs3-related functions in stack traces
Detection Strategies
- Monitor for abnormal memory allocation patterns in kernel space, particularly associated with filesystem operations
- Implement syscall monitoring for mount operations involving NTFS filesystems from untrusted sources
- Deploy kernel live patching solutions to detect and alert on unpatched systems
- Use kernel auditing tools to track NTFS mount operations and flag volumes from removable or untrusted storage
Monitoring Recommendations
- Enable kernel memory allocation monitoring and set thresholds for alerting on rapid memory consumption
- Configure auditd rules to log all filesystem mount operations: auditctl -w /bin/mount -p x -k mount_ops
- Monitor system logs for OOM killer events and correlate with recent NTFS mount activities
- Implement endpoint detection rules that flag NTFS3-related kernel operations consuming excessive resources
How to Mitigate CVE-2025-71266
Immediate Actions Required
- Apply the kernel patches referenced in the security advisories immediately
- Disable automatic mounting of NTFS filesystems from untrusted sources until patched
- Review and restrict which users and processes can mount NTFS volumes
- Consider disabling the NTFS3 kernel module on systems that do not require NTFS support: modprobe -r ntfs3
Patch Information
The Linux kernel development team has released patches to address this vulnerability. The fix adds proper return value checking for the fnd_push() function within indx_find(). When the index depth exceeds the size of the fnd->nodes array, fnd_push() returns -EINVAL, and the patched indx_find() function now properly checks this return value and stops processing, preventing further memory allocation.
Multiple kernel branches have been patched. The fix has been committed across several kernel versions as evidenced by the multiple commit references. System administrators should update to the latest stable kernel release for their distribution. Relevant patches can be found at:
- Linux Kernel Commit 0ad7a1be44
- Linux Kernel Commit 14c3188afb
- Linux Kernel Commit 1732053c8a
- Linux Kernel Commit 398e768d1a
- Linux Kernel Commit 435d34719d
- Linux Kernel Commit 68e32694be
- Linux Kernel Commit b0ea441f44
Workarounds
- Blacklist the ntfs3 kernel module to prevent automatic loading: add blacklist ntfs3 to /etc/modprobe.d/blacklist.conf
- Use the user-space ntfs-3g driver as an alternative for mounting NTFS volumes until the kernel is patched
- Restrict NTFS mount capabilities to trusted administrators only using mount policies or SELinux/AppArmor rules
- Block removable media automount for untrusted users through udev rules or desktop environment settings
# Disable NTFS3 kernel module
echo "blacklist ntfs3" >> /etc/modprobe.d/blacklist-ntfs3.conf
echo "install ntfs3 /bin/false" >> /etc/modprobe.d/blacklist-ntfs3.conf
# Unload the module if currently loaded
modprobe -r ntfs3
# Update initramfs to persist changes
update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
