CVE-2026-46062 Overview
CVE-2026-46062 is an integer overflow vulnerability in the Linux kernel's ntfs3 filesystem driver. The flaw resides in the run_unpack() function, where the volume boundary check lcn + len > sbi->used.bitmap.nbits uses unchecked addition. Large attacker-controlled values for lcn and len can wrap around, bypassing the boundary validation. The issue was identified through fuzzing with a source-patched harness using LibAFL and QEMU. The fix replaces the raw addition with check_add_overflow(), mirroring the safeguards already added by commit 3ac37e100385 for the adjacent prev_lcn + dlcn and vcn64 + len checks.
Critical Impact
An integer overflow in run_unpack() allows a crafted NTFS volume to bypass boundary validation, potentially leading to out-of-bounds access in kernel context.
Affected Products
- Linux kernel (ntfs3 filesystem driver)
- Distributions shipping vulnerable Linux kernel versions with ntfs3 enabled
- Systems mounting untrusted NTFS volumes
Discovery Timeline
- 2026-05-27 - CVE-2026-46062 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-46062
Vulnerability Analysis
The vulnerability is an integer overflow in the ntfs3 filesystem driver's run_unpack() function. This function decodes NTFS run lists, which describe the mapping between virtual cluster numbers (VCN) and logical cluster numbers (LCN) on disk. As part of validation, the code verifies that an LCN plus its run length stays within the volume bitmap bounds. The original check used plain integer addition without overflow protection. When lcn + len wraps past the maximum representable value, the comparison evaluates as if the range is valid, even though the actual run extends far beyond the volume. The kernel then proceeds to operate on out-of-bounds cluster ranges.
Root Cause
The root cause is a missing overflow check in arithmetic on attacker-controlled 64-bit values. Commit 3ac37e100385 previously hardened the adjacent prev_lcn + dlcn and vcn64 + len checks using check_add_overflow(), but the lcn + len > sbi->used.bitmap.nbits comparison was overlooked. The fix introduced in commits 60dab3e, 6175d09, 984a415, a954061, and f1af27c brings this remaining check in line with the rest of the function by using check_add_overflow() to reject malformed run lists before the comparison.
Attack Vector
Exploitation requires the kernel to parse a maliciously crafted NTFS volume. A local user able to mount untrusted NTFS images, or a system that auto-mounts removable media, exposes the vulnerable code path. The attacker forges run list entries with lcn and len values whose sum wraps the integer range, defeating the boundary check. Once accepted, the corrupted run list drives downstream code into out-of-bounds memory access in kernel space. The vulnerability was discovered through coverage-guided fuzzing using LibAFL combined with QEMU and a source-patched harness targeting the ntfs3 parser.
No public proof-of-concept code has been released. Technical details are available in the upstream kernel commits referenced in the Linux kernel stable tree.
Detection Methods for CVE-2026-46062
Indicators of Compromise
- Kernel oops, panic, or KASAN reports referencing run_unpack, ntfs3, or the ntfs3 cluster bitmap routines
- Unexpected mount failures or filesystem corruption messages from ntfs3 in dmesg
- Mount operations against NTFS images originating from untrusted sources, removable media, or user-supplied loop devices
Detection Strategies
- Audit kernel logs for crashes or warnings emitted by the ntfs3 driver during mount and run list parsing
- Inventory hosts running kernel builds with CONFIG_NTFS3_FS=y to identify the exposed attack surface
- Monitor mount syscalls referencing ntfs3 filesystems, especially those initiated by non-root users or automounters
Monitoring Recommendations
- Forward kernel ring buffer events to a centralized logging or SIEM platform and alert on ntfs3 BUG, WARN, or KASAN entries
- Track package and kernel versions across the fleet to confirm that patched kernels are deployed
- Alert on attachment of removable storage on production hosts where NTFS mounting is not an expected workflow
How to Mitigate CVE-2026-46062
Immediate Actions Required
- Apply the upstream Linux kernel patches referenced in commits 60dab3e, 6175d09, 984a415, a954061, and f1af27c once shipped by your distribution
- Restrict mounting of NTFS volumes to trusted administrators and disable automatic mounting of removable media on servers
- Audit which hosts have the ntfs3 driver loaded and whether it is required for the workload
Patch Information
The fix replaces the unchecked lcn + len > sbi->used.bitmap.nbits comparison in run_unpack() with check_add_overflow(), matching the protection already applied to neighboring checks by commit 3ac37e100385. Patched kernels are available through the stable tree commits 60dab3e, 6175d09, 984a415, a954061, and f1af27c.
Workarounds
- Blacklist the ntfs3 kernel module on systems that do not need NTFS read/write support
- Disable user-initiated mounting by removing user and users options from /etc/fstab entries and tightening udev/polkit rules for removable media
- Where NTFS access is still required, use a userspace driver in a sandboxed context instead of the in-kernel ntfs3 driver until patches are applied
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
