{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-71067","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-01-13T15:30:19.647Z","datePublished":"2026-01-13T15:31:22.585Z","dateUpdated":"2026-05-11T21:54:05.851Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:54:05.851Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nntfs: set dummy blocksize to read boot_block when mounting\n\nWhen mounting, sb->s_blocksize is used to read the boot_block without\nbeing defined or validated. Set a dummy blocksize before attempting to\nread the boot_block.\n\nThe issue can be triggered with the following syz reproducer:\n\n  mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./file1\\x00', 0x0)\n  r4 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040), 0x121403, 0x0)\n  ioctl$FS_IOC_SETFLAGS(r4, 0x40081271, &(0x7f0000000980)=0x4000)\n  mount(&(0x7f0000000140)=@nullb, &(0x7f0000000040)='./cgroup\\x00',\n        &(0x7f0000000000)='ntfs3\\x00', 0x2208004, 0x0)\n  syz_clone(0x88200200, 0x0, 0x0, 0x0, 0x0, 0x0)\n\nHere, the ioctl sets the bdev block size to 16384. During mount,\nget_tree_bdev_flags() calls sb_set_blocksize(sb, block_size(bdev)),\nbut since block_size(bdev) > PAGE_SIZE, sb_set_blocksize() leaves\nsb->s_blocksize at zero.\n\nLater, ntfs_init_from_boot() attempts to read the boot_block while\nsb->s_blocksize is still zero, which triggers the bug.\n\n[almaz.alexandrovich@paragon-software.com: changed comment style, added\nreturn value handling]"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/ntfs3/super.c"],"versions":[{"version":"28861e3bbd9e7ac4cd9c811aad71b4d116e27930","lessThan":"0c9327c8abf9c8f046e45008bb43d94d8ee5c6c5","status":"affected","versionType":"git"},{"version":"28861e3bbd9e7ac4cd9c811aad71b4d116e27930","lessThan":"44a38eb4f7876513db5a1bccde74de9bc4389d43","status":"affected","versionType":"git"},{"version":"28861e3bbd9e7ac4cd9c811aad71b4d116e27930","lessThan":"4fff9a625da958a33191c8553a03283786f9f417","status":"affected","versionType":"git"},{"version":"28861e3bbd9e7ac4cd9c811aad71b4d116e27930","lessThan":"b3c151fe8f543f1a0b8b5df16ce5d97afa5ec85a","status":"affected","versionType":"git"},{"version":"28861e3bbd9e7ac4cd9c811aad71b4d116e27930","lessThan":"d1693a7d5a38acf6424235a6070bcf5b186a360d","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/ntfs3/super.c"],"versions":[{"version":"5.15","status":"affected"},{"version":"0","lessThan":"5.15","status":"unaffected","versionType":"semver"},{"version":"6.1.167","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.120","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.64","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.3","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"6.1.167"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"6.6.120"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"6.12.64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"6.18.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"6.19"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0c9327c8abf9c8f046e45008bb43d94d8ee5c6c5"},{"url":"https://git.kernel.org/stable/c/44a38eb4f7876513db5a1bccde74de9bc4389d43"},{"url":"https://git.kernel.org/stable/c/4fff9a625da958a33191c8553a03283786f9f417"},{"url":"https://git.kernel.org/stable/c/b3c151fe8f543f1a0b8b5df16ce5d97afa5ec85a"},{"url":"https://git.kernel.org/stable/c/d1693a7d5a38acf6424235a6070bcf5b186a360d"}],"title":"ntfs: set dummy blocksize to read boot_block when mounting","x_generator":{"engine":"bippy-1.2.0"}}}}