CVE-2026-53027
Awaiting Analysis Awaiting Analysis - Queue

Buffer Overflow Fix in Linux Kernel NTFS3 Filesystem

Vulnerability report for CVE-2026-53027, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-07-10

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: fix missing run load for vcn0 in attr_data_get_block_locked() When a compressed or sparse attribute has its clusters frame-aligned, vcn is rounded down to the frame start using cmask, which can result in vcn != vcn0. In this case, vcn and vcn0 may reside in different attribute segments. The code already handles the case where vcn is in a different segment by loading its runs before allocation. However, it fails to load runs for vcn0 when vcn0 resides in a different segment than vcn. This causes run_lookup_entry() to return SPARSE_LCN for vcn0 since its segment was never loaded into the in-memory run list, triggering the WARN_ON(1). Fix this by adding a missing check for vcn0 after the existing vcn segment check. If vcn0 falls outside the current segment range [svcn, evcn1), find and load the attribute segment containing vcn0 before performing the run lookup. The following scenario triggers the bug: attr_data_get_block_locked() vcn = vcn0 & cmask <- vcn != vcn0 after frame alignment load runs for vcn segment <- vcn0 segment not loaded! attr_allocate_clusters() <- allocation succeeds run_lookup_entry(vcn0) <- vcn0 not in run -> SPARSE_LCN WARN_ON(1) <- bug fires here!

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-07-10
Generated
2026-07-15
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

This vulnerability triggers a WARN_ON(1) in the Linux kernel when the bug condition occurs during NTFS3 filesystem operations involving compressed or sparse attributes.

Detection would involve monitoring kernel logs for WARN_ON messages related to fs/ntfs3, specifically those indicating issues in attr_data_get_block_locked or run_lookup_entry.

You can check the kernel logs using commands such as:

  • dmesg | grep -i ntfs3
  • journalctl -k | grep -i WARN_ON
  • journalctl -k | grep -i ntfs3

Additionally, verifying the Linux kernel version against known patched versions can help identify if the system is vulnerable.

Mitigation Strategies

The immediate mitigation step is to update the Linux kernel to a version that includes the fix for this vulnerability.

Since the vulnerability is in the fs/ntfs3 module related to attribute run loading, applying the patch or upgrading to a kernel version released after 2026-06-24 will resolve the issue.

Until the update is applied, monitoring kernel logs for WARN_ON messages related to ntfs3 can help detect if the bug is being triggered.

Avoid performing operations on compressed or sparse NTFS attributes that might trigger the bug if possible.

Executive Summary

This vulnerability exists in the Linux kernel's NTFS3 filesystem driver, specifically in the function attr_data_get_block_locked(). It occurs when handling compressed or sparse attributes that have their clusters frame-aligned. Due to frame alignment, the virtual cluster number (vcn) is rounded down, causing vcn to differ from the original vcn0. These two may reside in different attribute segments.

While the code correctly loads runs for the segment containing vcn, it fails to load runs for the segment containing vcn0 if it is different. This omission causes the function run_lookup_entry() to return SPARSE_LCN for vcn0, as its segment was never loaded into memory, triggering a warning (WARN_ON(1)).

The fix involves adding a missing check to load the attribute segment containing vcn0 before performing the run lookup, ensuring proper handling of these cases.

Impact Analysis

This vulnerability can cause the Linux kernel to trigger a warning (WARN_ON(1)) during filesystem operations involving compressed or sparse NTFS attributes. While the description does not explicitly mention data corruption or security breaches, the warning indicates a bug that could potentially lead to unexpected behavior or instability in the filesystem driver.

Such instability might affect system reliability or data integrity when working with affected NTFS filesystems, especially under workloads involving compressed or sparse files.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53027. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart