CVE-2025-71289 Overview
CVE-2025-71289 affects the Linux kernel's ntfs3 filesystem driver. The vulnerability resides in the truncation logic, where errors returned by attr_set_size() during file shrink operations are silently ignored. When the call fails, the inode can be left in an inconsistent state, leading to filesystem metadata corruption or unstable in-memory inode structures. The issue has been resolved upstream through commits to the stable kernel tree. Local users mounting or operating on NTFS volumes via the ntfs3 driver are affected.
Critical Impact
Silent failure of attr_set_size() during NTFS file truncation can leave inodes in an inconsistent state, risking filesystem corruption and potential data integrity issues on ntfs3-mounted volumes.
Affected Products
- Linux kernel fs/ntfs3 filesystem driver
- Distributions shipping kernels with the ntfs3 driver enabled
- Systems mounting NTFS volumes using the in-tree ntfs3 filesystem
Discovery Timeline
- 2026-05-06 - CVE CVE-2025-71289 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2025-71289
Vulnerability Analysis
The ntfs3 driver implements file truncation by calling attr_set_size() to adjust the size of an NTFS attribute backing the inode data. When a truncate-down operation reduces a file's length, the driver did not propagate failures returned by attr_set_size(). The return value was discarded, allowing code execution to continue as if the resize had succeeded.
If attr_set_size() fails midway, the on-disk attribute layout and the in-memory inode size can diverge. Subsequent reads, writes, or metadata operations on the affected inode then operate on stale or partial state. This class of defect falls under improper error handling in kernel filesystem code and aligns with file system vulnerability and kernel vulnerability categories.
The upstream fix introduces explicit checks of the attr_set_size() return value and surfaces the error to the caller. The corrected logic prevents the inode from being marked as successfully truncated when the underlying attribute resize did not complete.
Root Cause
The root cause is missing error propagation in the ntfs3 truncate path. The driver invoked attr_set_size() but ignored its return code, violating standard Linux kernel error-handling conventions for filesystem operations.
Attack Vector
The attack vector requires local access to a system with an NTFS volume mounted via ntfs3. A user with write permissions on a file can trigger truncation operations that, under failure conditions on the underlying storage or attribute layout, leave the inode in an inconsistent state. The flaw is primarily a reliability and data integrity defect rather than a direct privilege escalation primitive.
For technical specifics, refer to the upstream commits Kernel Git Commit 576248a and Kernel Git Commit 6dfea43d.
Detection Methods for CVE-2025-71289
Indicators of Compromise
- Kernel log entries from ntfs3 reporting attribute resize failures or inode inconsistencies during truncation.
- Filesystem corruption reports on NTFS volumes mounted with the ntfs3 driver, particularly after abrupt truncate operations.
- fsck-equivalent NTFS checks flagging size mismatches between MFT records and allocated runs.
Detection Strategies
- Audit running kernel versions across the fleet and compare against patched stable kernel releases that include the upstream fix commits.
- Monitor dmesg and journal output for ntfs3 warnings related to attr_set_size, truncation, or inode state errors.
- Review file integrity baselines on systems that store data on NTFS volumes mounted via ntfs3.
Monitoring Recommendations
- Centralize kernel logs from Linux endpoints and servers and alert on ntfs3 error strings.
- Track NTFS mount usage in the environment to scope exposure to systems actually using the ntfs3 driver.
- Include kernel package versions in vulnerability management reports to confirm patch deployment.
How to Mitigate CVE-2025-71289
Immediate Actions Required
- Inventory Linux hosts that mount NTFS volumes using the ntfs3 driver.
- Apply vendor kernel updates that include the upstream fs/ntfs3 truncation error-handling fix.
- Reboot affected systems after patching to load the corrected kernel.
Patch Information
The fix is available in the mainline and stable Linux kernel trees through commits 576248a34b92 and 6dfea43d1151. Apply distribution kernel updates that incorporate these commits. Consult your Linux distribution's security advisories for the specific package versions that contain the fix.
Workarounds
- Avoid mounting NTFS volumes with the ntfs3 driver on unpatched kernels where feasible.
- Mount NTFS volumes read-only on unpatched systems to prevent triggering the truncation path.
- Restrict local user access to systems that must keep NTFS volumes writable until the patched kernel is deployed.
# Mount NTFS volume read-only as an interim workaround
mount -t ntfs3 -o ro /dev/sdX1 /mnt/ntfs
# Verify running kernel version after patching
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
