CVE-2026-53027

ANALYSIS PENDING

fs/ntfs3: fix missing run load for vcn0 in attr_data_get_block_locked()

Title source: cna
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: fix missing run load for vcn0 in attr_data_get_block_locked() When a compressed or sparse attribute has its clusters frame-aligned, vcn is rounded down to the frame start using cmask, which can result in vcn != vcn0. In this case, vcn and vcn0 may reside in different attribute segments. The code already handles the case where vcn is in a different segment by loading its runs before allocation. However, it fails to load runs for vcn0 when vcn0 resides in a different segment than vcn. This causes run_lookup_entry() to return SPARSE_LCN for vcn0 since its segment was never loaded into the in-memory run list, triggering the WARN_ON(1). Fix this by adding a missing check for vcn0 after the existing vcn segment check. If vcn0 falls outside the current segment range [svcn, evcn1), find and load the attribute segment containing vcn0 before performing the run lookup. The following scenario triggers the bug: attr_data_get_block_locked() vcn = vcn0 & cmask <- vcn != vcn0 after frame alignment load runs for vcn segment <- vcn0 segment not loaded! attr_allocate_clusters() <- allocation succeeds run_lookup_entry(vcn0) <- vcn0 not in run -> SPARSE_LCN WARN_ON(1) <- bug fires here!

Scores

EPSS 0.0015
EPSS Percentile 5.1%

Details

Status published
Products (9)
linux/Kernel 6.2.0 - 7.0.10linux
Linux/Linux < 6.2
Linux/Linux 406a037d93b769bca248476bd14bbe548dc1ec35
Linux/Linux 6.1.132 - 6.2
Linux/Linux 6.2
Linux/Linux 7.0.10 - 7.0.*
Linux/Linux 7.1
Linux/Linux c380b52f6c5702cc4bdda5e6d456d6c19a201a0b - 2b4ae1ce613ade8a7e118fba4a5a77cd23e97e54
Linux/Linux c380b52f6c5702cc4bdda5e6d456d6c19a201a0b - d7ea8495fd307b58f8867acd81a1b40075b1d3ba
Published Jun 24, 2026
Tracked Since Jun 24, 2026