CVE-2026-53027
Received Received - Intake
Buffer Overflow Fix in Linux Kernel NTFS3 Filesystem

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: fix missing run load for vcn0 in attr_data_get_block_locked() When a compressed or sparse attribute has its clusters frame-aligned, vcn is rounded down to the frame start using cmask, which can result in vcn != vcn0. In this case, vcn and vcn0 may reside in different attribute segments. The code already handles the case where vcn is in a different segment by loading its runs before allocation. However, it fails to load runs for vcn0 when vcn0 resides in a different segment than vcn. This causes run_lookup_entry() to return SPARSE_LCN for vcn0 since its segment was never loaded into the in-memory run list, triggering the WARN_ON(1). Fix this by adding a missing check for vcn0 after the existing vcn segment check. If vcn0 falls outside the current segment range [svcn, evcn1), find and load the attribute segment containing vcn0 before performing the run lookup. The following scenario triggers the bug: attr_data_get_block_locked() vcn = vcn0 & cmask <- vcn != vcn0 after frame alignment load runs for vcn segment <- vcn0 segment not loaded! attr_allocate_clusters() <- allocation succeeds run_lookup_entry(vcn0) <- vcn0 not in run -> SPARSE_LCN WARN_ON(1) <- bug fires here!
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-53027
EUVD
EUVD-2026-38895
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's NTFS3 filesystem driver, specifically in the function attr_data_get_block_locked(). It occurs when handling compressed or sparse attributes that have their clusters frame-aligned. Due to frame alignment, the virtual cluster number (vcn) is rounded down, causing vcn to differ from the original vcn0. These two may reside in different attribute segments.

While the code correctly loads runs for the segment containing vcn, it fails to load runs for the segment containing vcn0 if it is different. This omission causes the function run_lookup_entry() to return SPARSE_LCN for vcn0, as its segment was never loaded into memory, triggering a warning (WARN_ON(1)).

The fix involves adding a missing check to load the attribute segment containing vcn0 before performing the run lookup, ensuring proper handling of these cases.

Impact Analysis

This vulnerability can cause the Linux kernel to trigger a warning (WARN_ON(1)) during filesystem operations involving compressed or sparse NTFS attributes. While the description does not explicitly mention data corruption or security breaches, the warning indicates a bug that could potentially lead to unexpected behavior or instability in the filesystem driver.

Such instability might affect system reliability or data integrity when working with affected NTFS filesystems, especially under workloads involving compressed or sparse files.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53027. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart