CVE-2026-53029 Overview
CVE-2026-53029 is an uninitialized memory use vulnerability in the Linux kernel's fs/ntfs3 filesystem driver. The flaw resides in the ntfs_iomap_begin() function in fs/ntfs3/inode.c, where a local lcn (logical cluster number) variable can be read before being initialized. The syzbot fuzzer reported the issue as a KMSAN uninit-value detection. When run_lookup_entry() fails immediately because runs have not been populated, *len remains zero, and the logic in attr_data_get_block_locked() jumps to the ok label without setting *lcn. The result is the use of uninitialized stack memory during NTFS read operations.
Critical Impact
Local attackers mounting a crafted NTFS image can trigger uninitialized kernel memory reads, leading to information disclosure or undefined kernel behavior.
Affected Products
- Linux kernel versions containing the fs/ntfs3 driver prior to the upstream fix
- Linux distributions shipping vulnerable mainline and stable kernel branches
- Systems that mount or process user-supplied NTFS filesystem images
Discovery Timeline
- 2026-06-24 - CVE-2026-53029 published to NVD
- 2026-06-24 - Last updated in NVD database
Technical Details for CVE-2026-53029
Vulnerability Analysis
The vulnerability is an uninitialized memory use [CWE-908] in the NTFS3 read-write filesystem driver introduced in modern Linux kernels. The defect occurs along an error path inside ntfs_iomap_begin(), which translates filesystem offsets into block mappings for the iomap subsystem.
When ntfs_iomap_begin() calls into attr_data_get_block_locked(), the helper attempts to resolve a logical cluster number through run_lookup_entry(). If the runs array has not yet been populated, run_lookup_entry() returns false without writing to its output parameters. Because both the returned length and error code are zero, the function follows the success path to the ok label and returns without assigning *lcn.
Control then returns to ntfs_iomap_begin(), which proceeds to use the stack-allocated lcn variable declared at fs/ntfs3/inode.c:786. That value is whatever residual data occupies the stack slot, producing the KMSAN report at fs/ntfs3/inode.c:825.
Root Cause
The root cause is missing validation of a zero-length mapping result before consuming the lcn output. The error path in attr_data_get_block_locked() leaves *lcn untouched when the runs list is empty, and the caller does not check clen before dereferencing lcn.
Attack Vector
The vulnerability is reachable through filesystem operations on a crafted NTFS image. A local attacker with the ability to mount untrusted NTFS volumes, or to provide a malformed image that the kernel processes, can trigger the uninitialized read. Successful triggering produces undefined behavior in block mapping logic and can leak stack contents into downstream iomap operations.
The vulnerability is described in the upstream patch commits. See the kernel.org commit 485f750c and kernel.org commit e98266e8 for the technical fix details. No public exploit code is available.
Detection Methods for CVE-2026-53029
Indicators of Compromise
- KMSAN or KASAN reports referencing ntfs_iomap_begin in kernel logs on instrumented builds
- Unexpected mount activity for NTFS volumes originating from untrusted sources or removable media
- Kernel oops or warning entries pointing to fs/ntfs3/inode.c during file read operations
Detection Strategies
- Audit kernel package versions across the fleet to identify hosts running ntfs3-enabled kernels predating the fix commits.
- Monitor dmesg and journal logs for KMSAN, KASAN, or general protection fault traces involving ntfs3 symbols.
- Correlate mount events for filesystem type ntfs3 with the source device and originating user to identify untrusted image processing.
Monitoring Recommendations
- Forward kernel logs to a centralized logging platform and alert on stack traces containing ntfs_iomap_begin or attr_data_get_block_locked.
- Track mount syscalls with auditd rules covering filesystem type arguments to detect NTFS volume usage on servers that should not handle them.
- Inventory Linux endpoints by kernel version to prioritize patch deployment on hosts with the ntfs3 driver loaded.
How to Mitigate CVE-2026-53029
Immediate Actions Required
- Apply the upstream Linux kernel patches referenced in commits 485f750c and e98266e8 once they reach your distribution's stable branch.
- Restrict mounting of NTFS filesystems to trusted administrators and disable automount of removable media on servers.
- Unload the ntfs3 kernel module on systems that do not require NTFS support using modprobe -r ntfs3.
Patch Information
The fix moves the zero-length check on clen ahead of the lcn update in ntfs_iomap_begin(), preventing the uninitialized read. The patches are available in the upstream stable tree at kernel.org commit 485f750c and kernel.org commit e98266e8. Distribution maintainers will backport these fixes into supported stable kernel series.
Workarounds
- Blacklist the ntfs3 module on systems that do not require NTFS read-write support to remove the attack surface entirely.
- Enforce noauto and restrictive fstab entries for NTFS volumes, requiring explicit administrator action to mount.
- Limit physical and virtual access to USB and removable storage interfaces to reduce exposure to crafted NTFS images.
# Prevent automatic loading of the vulnerable ntfs3 driver
echo 'blacklist ntfs3' | sudo tee /etc/modprobe.d/blacklist-ntfs3.conf
sudo modprobe -r ntfs3
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

