CVE-2026-31716
Buffer Overflow in Linux Kernel NTFS3 Filesystem
Publication date: 2026-05-01
Last updated on: 2026-05-03
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | kernel | * |
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
This vulnerability requires a corrupted filesystem to be exploitable. To mitigate it, ensure your Linux kernel is updated to a version that includes the fix which bounds rec->used correctly during journal replay in the ntfs3 filesystem driver.
Since the issue is related to the Linux kernel's ntfs3 filesystem driver, applying the latest kernel patches or upgrading to a fixed kernel version is the immediate step to prevent potential exploitation.
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's NTFS3 filesystem driver, specifically in how it validates certain fields during journal replay of file records.
The function check_file_record() validates the total size of a record but does not validate the 'used' field within that record. During journal replay, the 'used' value is read from disk and used to calculate memory copy lengths with memmove operations.
If 'used' is smaller than the offset of a validated attribute or larger than the record size, calculations can underflow, causing memmove to copy excessive amounts of memory into a small 4KB buffer. This can lead to memory corruption.
The vulnerability requires a corrupted filesystem to be exploitable, which is not a typical threat model for the kernel, but the fix improves robustness by properly bounding the 'used' value.
How can this vulnerability impact me? :
This vulnerability can lead to memory corruption in the Linux kernel when replaying the NTFS3 filesystem journal if the filesystem is corrupted.
Such memory corruption could potentially cause system instability, crashes, or unexpected behavior.
However, exploitation requires a corrupted filesystem, which is generally outside the normal threat model for the kernel, so the practical risk is limited to scenarios involving filesystem corruption.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability involves a potential out-of-bounds memory copy in the Linux kernel's NTFS3 filesystem driver during journal replay, which requires a corrupted filesystem to be exploitable.
There is no direct information provided about how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a flaw in the Linux kernel's NTFS3 filesystem driver related to improper validation of the rec->used field during journal replay. Detection would generally require checking for corrupted NTFS filesystems or abnormal behavior during filesystem journal replay.
Since the vulnerability requires a corrupted filesystem and involves internal kernel memory operations, there are no direct network detection methods or simple commands to detect exploitation.
To detect if your system is vulnerable, you should verify the Linux kernel version and ensure it includes the fix for this issue. Monitoring system logs for filesystem errors related to NTFS journal replay might help identify attempts to trigger the flaw.
No specific commands or network detection signatures are provided in the available information.