fs/ntfs3: Fix slab-out-of-bounds read in DeleteIndexEntryRoot_CVE-2026-45935

7.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

fs/ntfs3: Fix slab-out-of-bounds read in DeleteIndexEntryRoot

In the 'DeleteIndexEntryRoot' case of the 'do_action' function, the
entry size ('esize') is retrieved from the log record without adequate
bounds checking.

Specifically, the code calculates the end of the entry ('e2') using:
e2 = Add2Ptr(e1, esize);

It then calculates the size for memmove using 'PtrOffset(e2, ...)',
which subtracts the end pointer from the buffer limit. If 'esize' is
maliciously large, 'e2' exceeds the used buffer size. This results in
a negative offset which, when cast to size_t for memmove, interprets
as a massive unsigned integer, leading to a heap buffer overflow.

This commit adds a check to ensure that the entry size ('esize') strictly
fits within the remaining used space of the index header before performing
memory operations.

Basic Information

ID CVE-2026-45935

Source Linux

Published May 27, 2026 at 12:17

Modified May 30, 2026 at 10:46

Affected Product

Vendor Linux

Product Linux

Version b46acd6a6a627d876898e1c84d3f84902264b445

Affected Versions Linux Linux b46acd6a6a627d876898e1c84d3f84902264b445
Linux Linux b46acd6a6a627d876898e1c84d3f84902264b445
Linux Linux b46acd6a6a627d876898e1c84d3f84902264b445
Linux Linux b46acd6a6a627d876898e1c84d3f84902264b445
Linux Linux b46acd6a6a627d876898e1c84d3f84902264b445
Linux Linux b46acd6a6a627d876898e1c84d3f84902264b445
Linux Linux b46acd6a6a627d876898e1c84d3f84902264b445
Linux Linux 5.15

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Fix slab-out-of-bounds read in DeleteIndexEntryRoot\n\nIn the 'DeleteIndexEntryRoot' case of the 'do_action' function, the\nentry size ('esize') is retrieved from the log record without adequate\nbounds checking.\n\nSpecifically, the code calculates the end of the entry ('e2') using:\n    e2 = Add2Ptr(e1, esize);\n\nIt then calculates the size for memmove using 'PtrOffset(e2, ...)',\nwhich subtracts the end pointer from the buffer limit. If 'esize' is\nmaliciously large, 'e2' exceeds the used buffer size. This results in\na negative offset which, when cast to size_t for memmove, interprets\nas a massive unsigned integer, leading to a heap buffer overflow.\n\nThis commit adds a check to ensure that the entry size ('esize') strictly\nfits within the remaining used space of the index header before performing\nmemory operations.",
    "published": "2026-05-27T12:17:52.705Z",
    "modified": "2026-05-30T10:46:04.505Z",
    "type": "cve",
    "title": "fs/ntfs3: Fix slab-out-of-bounds read in DeleteIndexEntryRoot",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/36c03f7f177b34d51f1cf1d2304b1074607bf4b0\nhttps://git.kernel.org/stable/c/b271c9cb85927210b1b799e55ee7f702d12b4336\nhttps://git.kernel.org/stable/c/a584b9d1059b29e97e17c919274e9adfb846f2a0\nhttps://git.kernel.org/stable/c/c065541b71b79874c83d418a9acd18ad5826339b\nhttps://git.kernel.org/stable/c/78942172d5bff4d4afed8674abc09cc560ce44a0\nhttps://git.kernel.org/stable/c/f3b437a4c3e022a1449658ae9f3dd34859894513\nhttps://git.kernel.org/stable/c/b2bc7c44ed1779fc9eaab9a186db0f0d01439622",
    "id": "CVE-2026-45935",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux b46acd6a6a627d876898e1c84d3f84902264b445\nLinux Linux b46acd6a6a627d876898e1c84d3f84902264b445\nLinux Linux b46acd6a6a627d876898e1c84d3f84902264b445\nLinux Linux b46acd6a6a627d876898e1c84d3f84902264b445\nLinux Linux b46acd6a6a627d876898e1c84d3f84902264b445\nLinux Linux b46acd6a6a627d876898e1c84d3f84902264b445\nLinux Linux b46acd6a6a627d876898e1c84d3f84902264b445\nLinux Linux 5.15",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "b46acd6a6a627d876898e1c84d3f84902264b445",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply