CVE-2025-71267

Description

In the Linux kernel, the following vulnerability has been resolved: fs: ntfs3: fix infinite loop triggered by zero-sized ATTR_LIST We found an infinite loop bug in the ntfs3 file system that can lead to a Denial-of-Service (DoS) condition. A malformed NTFS image can cause an infinite loop when an ATTR_LIST attribute indicates a zero data size while the driver allocates memory for it. When ntfs_load_attr_list() processes a resident ATTR_LIST with data_size set to zero, it still allocates memory because of al_aligned(0). This creates an inconsistent state where ni->attr_list.size is zero, but ni->attr_list.le is non-null. This causes ni_enum_attr_ex to incorrectly assume that no attribute list exists and enumerates only the primary MFT record. When it finds ATTR_LIST, the code reloads it and restarts the enumeration, repeating indefinitely. The mount operation never completes, hanging the kernel thread. This patch adds validation to ensure that data_size is non-zero before memory allocation. When a zero-sized ATTR_LIST is detected, the function returns -EINVAL, preventing a DoS vulnerability.

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE

Linux内核 < 5.15（具体版本需查看内核更新日志）

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# 畸形的NTFS镜像创建示例（概念验证）
# 此代码仅用于安全研究

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-71267
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-71267
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-71267/
[4] VulDB https://vuldb.com/cve/CVE-2025-71267
[5] https://git.kernel.org/stable/c/06909b2549d631a47fcda249d34be26f7ca1711d
[6] https://git.kernel.org/stable/c/7ef219656febf5ae06ae56b1fce47ebd05f92b68
[7] https://git.kernel.org/stable/c/8d8c70b57dbeda3eb165c0940b97e85373ca9354
[8] https://git.kernel.org/stable/c/9267d99fade76d44d4a133599524031fe684156e
[9] https://git.kernel.org/stable/c/976e6a7c51fabf150478decbe8ef5d9a26039b7c
[10] https://git.kernel.org/stable/c/9779a6eaaabdf47aa57910d352b398ad742e6a5f
[11] https://git.kernel.org/stable/c/fd508939dbca5eceefb2d0c2564beb15469572f2

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-71267", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-03-18T11:16:15.720", "lastModified": "2026-05-21T18:28:40.587", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: ntfs3: fix infinite loop triggered by zero-sized ATTR_LIST\n\nWe found an infinite loop bug in the ntfs3 file system that can lead to a\nDenial-of-Service (DoS) condition.\n\nA malformed NTFS image can cause an infinite loop when an ATTR_LIST attribute\nindicates a zero data size while the driver allocates memory for it.\n\nWhen ntfs_load_attr_list() processes a resident ATTR_LIST with data_size set\nto zero, it still allocates memory because of al_aligned(0). This creates an\ninconsistent state where ni->attr_list.size is zero, but ni->attr_list.le is\nnon-null. This causes ni_enum_attr_ex to incorrectly assume that no attribute\nlist exists and enumerates only the primary MFT record. When it finds\nATTR_LIST, the code reloads it and restarts the enumeration, repeating\nindefinitely. The mount operation never completes, hanging the kernel thread.\n\nThis patch adds validation to ensure that data_size is non-zero before memory\nallocation. When a zero-sized ATTR_LIST is detected, the function returns\n-EINVAL, preventing a DoS vulnerability."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nfs: ntfs3: corrige bucle infinito provocado por ATTR_LIST de tamaño cero\n\nSe encontró un error de bucle infinito en el sistema de archivos ntfs3 que puede llevar a una condición de Denegación de Servicio (DoS).\n\nUna imagen NTFS malformada puede causar un bucle infinito cuando un atributo ATTR_LIST indica un tamaño de datos cero mientras el controlador asigna memoria para ello.\n\nCuando ntfs_load_attr_list() procesa un ATTR_LIST residente con data_size establecido en cero, todavía asigna memoria debido a al_aligned(0). Esto crea un estado inconsistente donde ni->attr_list.size es cero, pero ni->attr_list.le no es nulo. Esto hace que ni_enum_attr_ex asuma incorrectamente que no existe ninguna lista de atributos y enumere solo el registro MFT primario. Cuando encuentra ATTR_LIST, el código lo recarga y reinicia la enumeración, repitiéndose indefinidamente. La operación de montaje nunca se completa, colgando el hilo del kernel.\n\nEste parche añade validación para asegurar que data_size no sea cero antes de la asignación de memoria. Cuando se detecta un ATTR_LIST de tamaño cero, la función devuelve -EINVAL, previniendo una vulnerabilidad de DoS."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-835"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "5.15.202", "matchCriteriaId": "B0330CE4-09CE-43EF-A9C8-CD49FFD1DC98"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.165", "matchCriteriaId": "797C7F46-D0BE-4FB8-A502-C5EF8E6B6654"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.128", "matchCriteriaId": "851E9353-6C09-4CC9-877E-E09DB164A3C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.75", "matchCriteriaId": "BCE16369-98ED-41CF-8995-DFDC10B288D2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.16", "matchCriteriaId": "B4B8CDA9-BADF-4CF5-8B3B-702DE8EEA40B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.6", "matchCriteriaId": "373EEEDA-FAA1-4FB4-B6ED-DB4DD99DBE67"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/06909b2549d631a47fcda249d34be26f7ca1711d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/7ef219656febf5ae06ae56b1fce47ebd05f92b68", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/8d8c70b57dbeda3eb165c0940b97e85373ca ... (truncated)