CVE-2025-68728
Uninitialized Memory Use in Linux ntfs3 Causes KMSAN Alert
Publication date: 2025-12-24
Last updated on: 2025-12-24
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is in the Linux kernel's ntfs3 driver. It involves uninitialized memory being used after a failed read operation (mi_read) in the mi_format_new function. Specifically, a buffer expected to be up-to-date may contain uninitialized data, which can lead to the inclusion of uninitialized memory in the metadata record. This triggers a Kernel Memory Sanitizer (KMSAN) warning. The fix involves ensuring the buffer is marked as up-to-date by overwriting it if necessary.
How can this vulnerability impact me? :
The vulnerability can lead to the use of uninitialized memory in the kernel, which may cause instability or unpredictable behavior in the system. It can also trigger KMSAN warnings, indicating potential memory safety issues. While no direct exploit impact is described, uninitialized memory usage can potentially lead to information leakage or system crashes.
What immediate steps should I take to mitigate this vulnerability?
Apply the patch or update to the fixed version of the Linux kernel that resolves the uninitialized memory issue in the ntfs3 driver as described. This involves ensuring your system is running the updated kernel version that includes the fix for the mi_read uninitialized memory bug.