CVE-2025-71312 Overview
CVE-2025-71312 is a memory leak vulnerability in the Linux kernel's NTFS3 filesystem driver. The flaw exists in the ntfs_fill_super() function within fs/ntfs3. The function sets the fc->fs_private pointer to NULL without first freeing the memory it references. This prevents the subsequent ntfs_fs_free() call from releasing the ntfs_mount_options structure, resulting in a kernel memory leak detectable via kmemleak.
Critical Impact
Repeated NTFS mount operations leak kernel memory from the ntfs_mount_options structure, contributing to resource exhaustion over time on systems that mount NTFS filesystems frequently.
Affected Products
- Linux kernel versions containing the fs/ntfs3 driver prior to the upstream fix
- Linux distributions shipping vulnerable NTFS3 driver builds
- Systems where users can trigger NTFS mount operations
Discovery Timeline
- 2026-05-27 - CVE-2025-71312 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2025-71312
Vulnerability Analysis
The vulnerability resides in the NTFS3 filesystem driver's superblock initialization path. During mount, __ntfs_init_fs_context() allocates an ntfs_mount_options structure and stores its pointer in fc->fs_private. The kernel uses the filesystem context (fc) cleanup helpers to free this memory when the mount fails or completes.
The ntfs_fill_super() function copies mount options into sbi->options and then nulls out fc->fs_private. Because the duplicated sbi->options does not reuse the original allocation, clearing the pointer abandons the original buffer. The cleanup path in ntfs_fs_free() checks fc->fs_private and skips freeing when it is NULL, leaving the structure permanently leaked.
Kmemleak reports a 32-byte unreferenced object with the allocation backtrace traversing __kmalloc_cache_noprof, __ntfs_init_fs_context, alloc_fs_context, and the fsopen syscall path. Each successful or attempted NTFS mount leaks one instance of the structure.
Root Cause
The root cause is incorrect ownership handling between the filesystem context and the superblock private data. The original code assumed sbi->options adopted the allocation owned by fc->fs_private, but the implementation actually duplicates the contents. Nulling the pointer in fc->fs_private discards the only remaining reference to the original allocation.
Attack Vector
A local user with permission to mount NTFS filesystems can repeatedly trigger the leak. The reproducer uses fallocate -l 100M test.file followed by mount test.file /tmp/test. Each invocation leaks 32 bytes of kernel slab memory. Over time, repeated mounts contribute to kernel memory pressure and reduce available resources.
The upstream fix removes the unnecessary fc->fs_private = NULL assignment and replaces the open-coded cleanup with the put_mount_options() helper to ensure correct release of the structure.
Detection Methods for CVE-2025-71312
Indicators of Compromise
- Kmemleak reports referencing __ntfs_init_fs_context in the allocation backtrace
- Growing kmalloc-32 slab cache usage correlated with NTFS mount activity
- Repeated mount system calls targeting NTFS3 filesystems from non-administrative users
Detection Strategies
- Enable CONFIG_DEBUG_KMEMLEAK on test kernels and scan /sys/kernel/debug/kmemleak for ntfs_mount_options allocations
- Monitor /proc/slabinfo for unexpected growth of small kmalloc caches on systems performing NTFS mounts
- Audit kernel logs for repeated NTFS3 mount events from user sessions
Monitoring Recommendations
- Track auditd records for mount syscalls with NTFS filesystem type and correlate with the invoking user
- Alert on sustained kernel slab growth without a matching workload increase
- Inventory kernel versions across the fleet and flag hosts running NTFS3 builds prior to the patch
How to Mitigate CVE-2025-71312
Immediate Actions Required
- Apply the upstream Linux kernel patches referenced in the Linux Kernel Commit dac871d833b0 and Linux Kernel Commit f7edab0cee03
- Update to a distribution kernel that includes the NTFS3 memory leak fix
- Restrict the ability of unprivileged users to mount NTFS filesystems on multi-user systems
Patch Information
The fix removes the redundant fc->fs_private = NULL assignment in ntfs_fill_super() and uses the put_mount_options() helper to simplify the cleanup logic. After patching, ntfs_fs_free() correctly releases the ntfs_mount_options structure when the filesystem context is torn down. Distribution maintainers should backport the commits to supported stable kernel branches.
Workarounds
- Disable or unload the ntfs3 kernel module on systems that do not require NTFS support
- Configure udev and polkit rules to prevent non-root users from invoking NTFS mount operations
- Reboot systems periodically to reclaim leaked kernel memory until patches are deployed
# Prevent loading of the vulnerable NTFS3 driver
echo 'blacklist ntfs3' | sudo tee /etc/modprobe.d/disable-ntfs3.conf
sudo modprobe -r ntfs3
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

