CVE-2026-31716
Received Received - Intake
Buffer Overflow in Linux Kernel NTFS3 Filesystem

Publication date: 2026-05-01

Last updated on: 2026-06-01

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: validate rec->used in journal-replay file record check check_file_record() validates rec->total against the record size but never validates rec->used. The do_action() journal-replay handlers read rec->used from disk and use it to compute memmove lengths: DeleteAttribute: memmove(attr, ..., used - asize - roff) CreateAttribute: memmove(..., attr, used - roff) change_attr_size: memmove(..., used - PtrOffset(rec, next)) When rec->used is smaller than the offset of a validated attribute, or larger than the record size, these subtractions can underflow allowing us to copy huge amounts of memory in to a 4kb buffer, generally considered a bad idea overall. This requires a corrupted filesystem, which isn't a threat model the kernel really needs to worry about, but checking for such an obvious out-of-bounds value is good to keep things robust, especially on journal replay Fix this up by bounding rec->used correctly. This is much like commit b2bc7c44ed17 ("fs/ntfs3: Fix slab-out-of-bounds read in DeleteIndexEntryRoot") which checked different values in this same switch statement.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-06-01
Generated
2026-06-16
AI Q&A
2026-05-01
EPSS Evaluated
2026-06-14
NVD
CVE-2026-31716
EUVD
EUVD-2026-26525
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.7 (inc) to 6.12.84 (exc)
linux linux_kernel From 5.15 (inc) to 6.6.136 (exc)
linux linux_kernel 7.1
linux linux_kernel From 6.13 (inc) to 6.18.25 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability involves a flaw in the Linux kernel's NTFS3 filesystem driver related to improper validation of the rec->used field during journal replay. Detection would generally require checking for corrupted NTFS filesystems or abnormal behavior during filesystem journal replay.

Since the vulnerability requires a corrupted filesystem and involves internal kernel memory operations, there are no direct network detection methods or simple commands to detect exploitation.

To detect if your system is vulnerable, you should verify the Linux kernel version and ensure it includes the fix for this issue. Monitoring system logs for filesystem errors related to NTFS journal replay might help identify attempts to trigger the flaw.

No specific commands or network detection signatures are provided in the available information.

Mitigation Strategies

This vulnerability requires a corrupted filesystem to be exploitable. To mitigate it, ensure your Linux kernel is updated to a version that includes the fix which bounds rec->used correctly during journal replay in the ntfs3 filesystem driver.

Since the issue is related to the Linux kernel's ntfs3 filesystem driver, applying the latest kernel patches or upgrading to a fixed kernel version is the immediate step to prevent potential exploitation.

Executive Summary

This vulnerability exists in the Linux kernel's NTFS3 filesystem driver, specifically in how it validates certain fields during journal replay of file records.

The function check_file_record() validates the total size of a record but does not validate the 'used' field within that record. During journal replay, the 'used' value is read from disk and used to calculate memory copy lengths with memmove operations.

If 'used' is smaller than the offset of a validated attribute or larger than the record size, calculations can underflow, causing memmove to copy excessive amounts of memory into a small 4KB buffer. This can lead to memory corruption.

The vulnerability requires a corrupted filesystem to be exploitable, which is not a typical threat model for the kernel, but the fix improves robustness by properly bounding the 'used' value.

Impact Analysis

This vulnerability can lead to memory corruption in the Linux kernel when replaying the NTFS3 filesystem journal if the filesystem is corrupted.

Such memory corruption could potentially cause system instability, crashes, or unexpected behavior.

However, exploitation requires a corrupted filesystem, which is generally outside the normal threat model for the kernel, so the practical risk is limited to scenarios involving filesystem corruption.

Compliance Impact

This vulnerability involves a potential out-of-bounds memory copy in the Linux kernel's NTFS3 filesystem driver during journal replay, which requires a corrupted filesystem to be exploitable.

There is no direct information provided about how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31716. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart