2406767 – (CVE-2025-40067) CVE-2025-40067 kernel: fs/ntfs3: reject index allocation if $BITMAP is empty but blocks exist

Bug 2406767 (CVE-2025-40067) - CVE-2025-40067 kernel: fs/ntfs3: reject index allocation if $BITMAP is empty but blocks exist

Summary: CVE-2025-40067 kernel: fs/ntfs3: reject index allocation if $BITMAP is empty ...

Keywords:
Status:	NEW
Alias:	CVE-2025-40067
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-10-28 12:04 UTC by OSIDB Bzimport
Modified:	2025-12-23 11:04 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-10-28 12:04:27 UTC

In the Linux kernel, the following vulnerability has been resolved:

fs/ntfs3: reject index allocation if $BITMAP is empty but blocks exist

Index allocation requires at least one bit in the $BITMAP attribute to
track usage of index entries. If the bitmap is empty while index blocks
are already present, this reflects on-disk corruption.

syzbot triggered this condition using a malformed NTFS image. During a
rename() operation involving a long filename (which spans multiple
index entries), the empty bitmap allowed the name to be added without
valid tracking. Subsequent deletion of the original entry failed with
-ENOENT, due to unexpected index state.

Reject such cases by verifying that the bitmap is not empty when index
blocks exist.

Comment 1 Jon Moroney 2025-10-28 18:05:57 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025102817-CVE-2025-40067-fb1b@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.