GHSA-GV9M-P4C7-MXP3

Vulnerability from github – Published: 2025-10-28 12:30 – Updated: 2025-10-28 12:30
VLAI?
Details

In the Linux kernel, the following vulnerability has been resolved:

fs: ntfs3: Fix integer overflow in run_unpack()

The MFT record relative to the file being opened contains its runlist, an array containing information about the file's location on the physical disk. Analysis of all Call Stack paths showed that the values of the runlist array, from which LCNs are calculated, are not validated before run_unpack function.

The run_unpack function decodes the compressed runlist data format from MFT attributes (for example, $DATA), converting them into a runs_tree structure, which describes the mapping of virtual clusters (VCN) to logical clusters (LCN). The NTFS3 subsystem also has a shortcut for deleting files from MFT records - in this case, the RUN_DEALLOCATE command is sent to the run_unpack input, and the function logic provides that all data transferred to the runlist about file or directory is deleted without creating a runs_tree structure.

Substituting the runlist in the $DATA attribute of the MFT record for an arbitrary file can lead either to access to arbitrary data on the disk bypassing access checks to them (since the inode access check occurs above) or to destruction of arbitrary data on the disk.

Add overflow check for addition operation.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-40068"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-28T12:15:41Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: ntfs3: Fix integer overflow in run_unpack()\n\nThe MFT record relative to the file being opened contains its runlist,\nan array containing information about the file\u0027s location on the physical\ndisk. Analysis of all Call Stack paths showed that the values of the\nrunlist array, from which LCNs are calculated, are not validated before\nrun_unpack function.\n\nThe run_unpack function decodes the compressed runlist data format\nfrom MFT attributes (for example, $DATA), converting them into a runs_tree\nstructure, which describes the mapping of virtual clusters (VCN) to\nlogical clusters (LCN). The NTFS3 subsystem also has a shortcut for\ndeleting files from MFT records - in this case, the RUN_DEALLOCATE\ncommand is sent to the run_unpack input, and the function logic\nprovides that all data transferred to the runlist about file or\ndirectory is deleted without creating a runs_tree structure.\n\nSubstituting the runlist in the $DATA attribute of the MFT record for an\narbitrary file can lead either to access to arbitrary data on the disk\nbypassing access checks to them (since the inode access check\noccurs above) or to destruction of arbitrary data on the disk.\n\nAdd overflow check for addition operation.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.",
  "id": "GHSA-gv9m-p4c7-mxp3",
  "modified": "2025-10-28T12:30:17Z",
  "published": "2025-10-28T12:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40068"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3ac37e100385b59ac821a62118494442238aaac4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5aa5799d162ad1b8e8b699d48b6218143c695a78"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/736fc7bf5f68f6b74a0925b7e072c571838657d2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9378cfe228c2c679564a4116bcb28c8e89dff989"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a86c8b9d03f7101e1750233846fe989df6f0d631"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f6b36cfd25cbadad63447c673743cf771090e756"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.