{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-71267","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-03-17T09:08:18.457Z","datePublished":"2026-03-18T10:05:04.008Z","dateUpdated":"2026-05-11T21:57:05.561Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:57:05.561Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nfs: ntfs3: fix infinite loop triggered by zero-sized ATTR_LIST\n\nWe found an infinite loop bug in the ntfs3 file system that can lead to a\nDenial-of-Service (DoS) condition.\n\nA malformed NTFS image can cause an infinite loop when an ATTR_LIST attribute\nindicates a zero data size while the driver allocates memory for it.\n\nWhen ntfs_load_attr_list() processes a resident ATTR_LIST with data_size set\nto zero, it still allocates memory because of al_aligned(0). This creates an\ninconsistent state where ni->attr_list.size is zero, but ni->attr_list.le is\nnon-null. This causes ni_enum_attr_ex to incorrectly assume that no attribute\nlist exists and enumerates only the primary MFT record. When it finds\nATTR_LIST, the code reloads it and restarts the enumeration, repeating\nindefinitely. The mount operation never completes, hanging the kernel thread.\n\nThis patch adds validation to ensure that data_size is non-zero before memory\nallocation. When a zero-sized ATTR_LIST is detected, the function returns\n-EINVAL, preventing a DoS vulnerability."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/ntfs3/attrlist.c"],"versions":[{"version":"be71b5cba2e6485e8959da7a9f9a44461a1bb074","lessThan":"9267d99fade76d44d4a133599524031fe684156e","status":"affected","versionType":"git"},{"version":"be71b5cba2e6485e8959da7a9f9a44461a1bb074","lessThan":"976e6a7c51fabf150478decbe8ef5d9a26039b7c","status":"affected","versionType":"git"},{"version":"be71b5cba2e6485e8959da7a9f9a44461a1bb074","lessThan":"8d8c70b57dbeda3eb165c0940b97e85373ca9354","status":"affected","versionType":"git"},{"version":"be71b5cba2e6485e8959da7a9f9a44461a1bb074","lessThan":"7ef219656febf5ae06ae56b1fce47ebd05f92b68","status":"affected","versionType":"git"},{"version":"be71b5cba2e6485e8959da7a9f9a44461a1bb074","lessThan":"9779a6eaaabdf47aa57910d352b398ad742e6a5f","status":"affected","versionType":"git"},{"version":"be71b5cba2e6485e8959da7a9f9a44461a1bb074","lessThan":"fd508939dbca5eceefb2d0c2564beb15469572f2","status":"affected","versionType":"git"},{"version":"be71b5cba2e6485e8959da7a9f9a44461a1bb074","lessThan":"06909b2549d631a47fcda249d34be26f7ca1711d","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/ntfs3/attrlist.c"],"versions":[{"version":"5.15","status":"affected"},{"version":"0","lessThan":"5.15","status":"unaffected","versionType":"semver"},{"version":"5.15.202","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.165","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.128","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.75","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.16","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.6","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"5.15.202"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"6.1.165"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"6.6.128"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"6.12.75"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"6.18.16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"6.19.6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"7.0"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/9267d99fade76d44d4a133599524031fe684156e"},{"url":"https://git.kernel.org/stable/c/976e6a7c51fabf150478decbe8ef5d9a26039b7c"},{"url":"https://git.kernel.org/stable/c/8d8c70b57dbeda3eb165c0940b97e85373ca9354"},{"url":"https://git.kernel.org/stable/c/7ef219656febf5ae06ae56b1fce47ebd05f92b68"},{"url":"https://git.kernel.org/stable/c/9779a6eaaabdf47aa57910d352b398ad742e6a5f"},{"url":"https://git.kernel.org/stable/c/fd508939dbca5eceefb2d0c2564beb15469572f2"},{"url":"https://git.kernel.org/stable/c/06909b2549d631a47fcda249d34be26f7ca1711d"}],"title":"fs: ntfs3: fix infinite loop triggered by zero-sized ATTR_LIST","x_generator":{"engine":"bippy-1.2.0"}}}}