CVE-2025-71311 Overview
CVE-2025-71311 is an uninitialized memory use vulnerability in the Linux kernel's fs/ntfs3 filesystem driver. The Kernel Memory Sanitizer (KMSAN) flagged an uninitialized value in longest_match_std(), called from ntfs_compress_write(). New folios are allocated without being marked uptodate, and ni_read_frame() is skipped because the caller expects the frame to be fully overwritten. When the overwrite is partial, reserved folios retain uninitialized kernel memory contents. The flaw affects NTFS compressed write paths in vulnerable Linux kernel builds that include the ntfs3 driver.
Critical Impact
Uninitialized kernel memory may be persisted into NTFS-compressed files, enabling potential information disclosure of kernel heap contents to userspace or on-disk artifacts.
Affected Products
- Linux kernel fs/ntfs3 filesystem driver
- Stable kernel branches referenced in the upstream fix commits
- Systems mounting NTFS volumes with write and compression enabled via ntfs3
Discovery Timeline
- 2026-05-27 - CVE-2025-71311 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2025-71311
Vulnerability Analysis
The defect lives in the NTFS3 compressed write path. When ntfs_compress_write() prepares a compression frame, it allocates new folios to back the frame. The code path skips ni_read_frame() under the assumption that the writer will overwrite the entire frame before compression executes. That assumption fails when the writer covers only part of the frame.
The newly allocated folios are not marked uptodate and are not zero-initialized prior to use. The compression routine longest_match_std() then reads across the buffer, including bytes the writer never touched. KMSAN identifies these reads as uninitialized value use. The uninitialized bytes can originate from prior kernel page allocations, exposing residual heap data through the compressed on-disk representation.
Root Cause
The root cause is missing initialization of newly allocated folios in ntfs_compress_write() before the compressor consumes them. The driver relies on a caller invariant (full-frame overwrite) that does not hold for all write sizes, and it omits the fallback read-modify-write or explicit zeroing that would otherwise initialize the backing pages.
Attack Vector
A local user with permission to write to an NTFS volume mounted with the ntfs3 driver and compression enabled can trigger the path by issuing partial-frame writes against compressed files. The result is uninitialized kernel memory being processed by the compressor and potentially written to disk. This creates an information disclosure primitive [CWE-908: Use of Uninitialized Resource] rather than a direct code execution path. No verified public exploit is available, and the EPSS data indicates a very low predicted exploitation probability.
The upstream fix initializes new folios before they are used in the compressed write path. See the upstream patches at kernel.org commit 41d79f8e, commit 5a30cc03, commit dd6c8152, and commit f223ebff.
Detection Methods for CVE-2025-71311
Indicators of Compromise
- KMSAN warnings referencing longest_match_std and ntfs_compress_write in kernel logs on instrumented builds
- Unexpected non-zero byte patterns in trailing regions of compressed NTFS files following partial writes
- Mounted ntfs3 filesystems showing writes to compressed files by unprivileged users
Detection Strategies
- Run debug kernels with KMSAN enabled in test environments to surface uninitialized reads in NTFS3 code paths
- Inventory hosts running kernels that ship fs/ntfs3 and confirm patch level against the upstream stable commits
- Audit /proc/mounts and mount unit files for ntfs3 entries with read-write access on multi-user systems
Monitoring Recommendations
- Forward kernel ring buffer events (dmesg, journald) into a central log pipeline and alert on ntfs3 and KMSAN strings
- Track package and kernel update status across the Linux fleet to confirm rollout of fixed builds
- Monitor user-initiated mount operations of NTFS volumes on servers and workstations
How to Mitigate CVE-2025-71311
Immediate Actions Required
- Update affected Linux kernels to a stable release containing the four fs/ntfs3 initialization commits listed in the references
- Restrict write access to NTFS volumes on shared systems until patched kernels are deployed
- Disable the ntfs3 driver on hosts that do not require NTFS write support
Patch Information
Upstream fixes are available in the Linux stable tree. The patches add initialization of newly allocated folios in the NTFS3 compressed write path so that longest_match_std() no longer reads uninitialized memory. Apply the kernel update provided by your distribution that includes commits 41d79f8e, 5a30cc03, dd6c8152, and f223ebff, then reboot to activate the patched kernel.
Workarounds
- Mount NTFS volumes read-only using mount -o ro to avoid the vulnerable compressed write path
- Use an alternate filesystem (for example, ext4 or xfs) for shared writable storage where feasible
- Blacklist the ntfs3 module on systems without an operational need for NTFS write access
# Configuration example: blacklist the ntfs3 module and remount existing NTFS volumes read-only
echo 'blacklist ntfs3' | sudo tee /etc/modprobe.d/disable-ntfs3.conf
sudo mount -o remount,ro /mnt/ntfs-volume
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

