CVE-2026-43127 Overview
CVE-2026-43127 is a circular locking dependency in the Linux kernel's ntfs3 filesystem driver. Syzbot detected an AB-BA deadlock between wnd->rw_lock (held in sbi->used.bitmap) and ni->file.run_lock during NTFS run unpacking operations. The flaw resides in the run_unpack_ex() function, which acquires the bitmap lock before attempting to take the run lock through ntfs_refresh_zone(). A concurrent call path through ntfs_extend_mft() takes those locks in the opposite order, producing the deadlock condition. The issue affects Linux kernels that include the ntfs3 driver and has been resolved upstream through stable tree commits.
Critical Impact
Concurrent NTFS operations can deadlock kernel threads, causing filesystem hangs and denial of service on systems mounting NTFS volumes via the ntfs3 driver.
Affected Products
- Linux kernel with ntfs3 filesystem driver enabled
- Stable kernel branches receiving commits 08ce2fee1b86, b014372b6223, and b8d22d9d8260
- Systems mounting NTFS volumes using the in-tree ntfs3 driver
Discovery Timeline
- 2026-05-06 - CVE-2026-43127 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-43127
Vulnerability Analysis
The vulnerability is a classic AB-BA lock ordering violation [Race Condition / Deadlock] inside the ntfs3 filesystem implementation. Two kernel paths acquire the same pair of locks in opposite orders. The first path, ntfs_extend_mft(), takes ni->file.run_lock first and then wnd->rw_lock. The second path, run_unpack_ex(), takes wnd->rw_lock first and then attempts to acquire ni->file.run_lock indirectly through ntfs_refresh_zone(). When two threads execute these paths concurrently, each thread blocks waiting for a lock held by the other. The result is a kernel-level deadlock that hangs filesystem I/O on the affected NTFS volume. Syzbot's lockdep instrumentation detected the inverse acquisition order during fuzzing of the ntfs3 driver.
Root Cause
The root cause is inconsistent lock acquisition order across the ntfs3 Master File Table (MFT) extension and run unpacking code paths. run_unpack_ex() calls ntfs_refresh_zone() while already holding wnd->rw_lock, and ntfs_refresh_zone() then attempts a blocking down_read() on ni->file.run_lock. Lock hierarchy was not enforced between these two subsystems, so the bitmap lock and the run lock could be acquired in either order.
Attack Vector
Triggering the deadlock requires concurrent NTFS operations that exercise both code paths simultaneously. A local user with the ability to perform reads or writes against an NTFS volume mounted with ntfs3 can induce the condition through crafted filesystem activity. Successful triggering hangs kernel threads holding the contested locks, producing a denial of service on the filesystem and any process waiting on it.
No exploitation code is available, and the public references consist solely of upstream kernel patches. The fix replaces down_read() with down_read_trylock() in run_unpack_ex(). When the trylock fails, the function skips ntfs_refresh_zone() and defers MFT zone refresh to the next MFT operation, eliminating the blocking acquisition that produced the cycle.
Detection Methods for CVE-2026-43127
Indicators of Compromise
- Kernel lockdep warnings referencing wnd->rw_lock and ni->file.run_lock with circular dependency traces
- Hung task warnings from threads stuck inside run_unpack_ex or ntfs_extend_mft
- NTFS volume I/O stalls coinciding with elevated D state process counts
Detection Strategies
- Enable CONFIG_PROVE_LOCKING and CONFIG_LOCKDEP on test kernels to surface AB-BA lock reports during NTFS workloads
- Monitor dmesg for INFO: possible circular locking dependency detected messages tied to ntfs3 symbols
- Track kernel version and patch level against fixed commits 08ce2fee1b86, b014372b6223, and b8d22d9d8260
Monitoring Recommendations
- Alert on khungtaskd warnings and processes blocked longer than kernel.hung_task_timeout_secs while accessing NTFS mounts
- Collect kernel panic and soft lockup telemetry from hosts mounting NTFS volumes
- Audit which workloads use the ntfs3 driver versus the legacy ntfs or FUSE-based ntfs-3g to scope exposure
How to Mitigate CVE-2026-43127
Immediate Actions Required
- Apply the upstream stable kernel update containing the run_unpack_ex trylock fix to all systems using ntfs3
- Identify hosts mounting NTFS volumes with the in-tree ntfs3 driver and prioritize them for patching
- Validate the fix in non-production by exercising concurrent read and write workloads on NTFS volumes
Patch Information
The vulnerability is resolved by three stable tree commits: kernel.org commit 08ce2fee1b86, kernel.org commit b014372b6223, and kernel.org commit b8d22d9d8260. The change replaces down_read() with down_read_trylock() when acquiring run_lock inside run_unpack_ex(). If the lock is contended, the code skips ntfs_refresh_zone() and defers refresh to the next MFT operation.
Workarounds
- Mount NTFS volumes read-only where write activity is not required, reducing concurrent paths into ntfs_extend_mft()
- Use the userspace ntfs-3g FUSE driver instead of the in-tree ntfs3 driver until the patch is deployed
- Avoid loading the ntfs3 module on systems that do not require NTFS access by blacklisting it in /etc/modprobe.d/
# Blacklist the ntfs3 module until patched kernel is deployed
echo 'blacklist ntfs3' | sudo tee /etc/modprobe.d/blacklist-ntfs3.conf
sudo update-initramfs -u
# Verify running kernel includes the fix commit
uname -r
git -C /usr/src/linux log --oneline | grep -E '08ce2fee1b86|b014372b6223|b8d22d9d8260'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
