Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71312

CVE-2025-71312: Linux Kernel Use-After-Free Vulnerability

CVE-2025-71312 is a use-after-free vulnerability in the Linux kernel's NTFS3 filesystem that causes memory leaks during mount operations. This article covers the technical details, affected versions, and mitigation steps.

Published:

CVE-2025-71312 Overview

CVE-2025-71312 is a memory leak vulnerability in the Linux kernel's NTFS3 filesystem driver. The flaw exists in the ntfs_fill_super() function within fs/ntfs3. The function sets the fc->fs_private pointer to NULL without first freeing the memory it references. This prevents the subsequent ntfs_fs_free() call from releasing the ntfs_mount_options structure, resulting in a kernel memory leak detectable via kmemleak.

Critical Impact

Repeated NTFS mount operations leak kernel memory from the ntfs_mount_options structure, contributing to resource exhaustion over time on systems that mount NTFS filesystems frequently.

Affected Products

  • Linux kernel versions containing the fs/ntfs3 driver prior to the upstream fix
  • Linux distributions shipping vulnerable NTFS3 driver builds
  • Systems where users can trigger NTFS mount operations

Discovery Timeline

  • 2026-05-27 - CVE-2025-71312 published to NVD
  • 2026-05-27 - Last updated in NVD database

Technical Details for CVE-2025-71312

Vulnerability Analysis

The vulnerability resides in the NTFS3 filesystem driver's superblock initialization path. During mount, __ntfs_init_fs_context() allocates an ntfs_mount_options structure and stores its pointer in fc->fs_private. The kernel uses the filesystem context (fc) cleanup helpers to free this memory when the mount fails or completes.

The ntfs_fill_super() function copies mount options into sbi->options and then nulls out fc->fs_private. Because the duplicated sbi->options does not reuse the original allocation, clearing the pointer abandons the original buffer. The cleanup path in ntfs_fs_free() checks fc->fs_private and skips freeing when it is NULL, leaving the structure permanently leaked.

Kmemleak reports a 32-byte unreferenced object with the allocation backtrace traversing __kmalloc_cache_noprof, __ntfs_init_fs_context, alloc_fs_context, and the fsopen syscall path. Each successful or attempted NTFS mount leaks one instance of the structure.

Root Cause

The root cause is incorrect ownership handling between the filesystem context and the superblock private data. The original code assumed sbi->options adopted the allocation owned by fc->fs_private, but the implementation actually duplicates the contents. Nulling the pointer in fc->fs_private discards the only remaining reference to the original allocation.

Attack Vector

A local user with permission to mount NTFS filesystems can repeatedly trigger the leak. The reproducer uses fallocate -l 100M test.file followed by mount test.file /tmp/test. Each invocation leaks 32 bytes of kernel slab memory. Over time, repeated mounts contribute to kernel memory pressure and reduce available resources.

The upstream fix removes the unnecessary fc->fs_private = NULL assignment and replaces the open-coded cleanup with the put_mount_options() helper to ensure correct release of the structure.

Detection Methods for CVE-2025-71312

Indicators of Compromise

  • Kmemleak reports referencing __ntfs_init_fs_context in the allocation backtrace
  • Growing kmalloc-32 slab cache usage correlated with NTFS mount activity
  • Repeated mount system calls targeting NTFS3 filesystems from non-administrative users

Detection Strategies

  • Enable CONFIG_DEBUG_KMEMLEAK on test kernels and scan /sys/kernel/debug/kmemleak for ntfs_mount_options allocations
  • Monitor /proc/slabinfo for unexpected growth of small kmalloc caches on systems performing NTFS mounts
  • Audit kernel logs for repeated NTFS3 mount events from user sessions

Monitoring Recommendations

  • Track auditd records for mount syscalls with NTFS filesystem type and correlate with the invoking user
  • Alert on sustained kernel slab growth without a matching workload increase
  • Inventory kernel versions across the fleet and flag hosts running NTFS3 builds prior to the patch

How to Mitigate CVE-2025-71312

Immediate Actions Required

Patch Information

The fix removes the redundant fc->fs_private = NULL assignment in ntfs_fill_super() and uses the put_mount_options() helper to simplify the cleanup logic. After patching, ntfs_fs_free() correctly releases the ntfs_mount_options structure when the filesystem context is torn down. Distribution maintainers should backport the commits to supported stable kernel branches.

Workarounds

  • Disable or unload the ntfs3 kernel module on systems that do not require NTFS support
  • Configure udev and polkit rules to prevent non-root users from invoking NTFS mount operations
  • Reboot systems periodically to reclaim leaked kernel memory until patches are deployed
bash
# Prevent loading of the vulnerable NTFS3 driver
echo 'blacklist ntfs3' | sudo tee /etc/modprobe.d/disable-ntfs3.conf
sudo modprobe -r ntfs3

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.