CVE-2026-31716

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs/ntfs3: validate rec-&gt;used in journal-replay file record check<br /> <br /> check_file_record() validates rec-&gt;total against the record size but<br /> never validates rec-&gt;used. The do_action() journal-replay handlers read<br /> rec-&gt;used from disk and use it to compute memmove lengths:<br /> <br /> DeleteAttribute: memmove(attr, ..., used - asize - roff)<br /> CreateAttribute: memmove(..., attr, used - roff)<br /> change_attr_size: memmove(..., used - PtrOffset(rec, next))<br /> <br /> When rec-&gt;used is smaller than the offset of a validated attribute, or<br /> larger than the record size, these subtractions can underflow allowing<br /> us to copy huge amounts of memory in to a 4kb buffer, generally<br /> considered a bad idea overall.<br /> <br /> This requires a corrupted filesystem, which isn&amp;#39;t a threat model the<br /> kernel really needs to worry about, but checking for such an obvious<br /> out-of-bounds value is good to keep things robust, especially on journal<br /> replay<br /> <br /> Fix this up by bounding rec-&gt;used correctly.<br /> <br /> This is much like commit b2bc7c44ed17 ("fs/ntfs3: Fix slab-out-of-bounds<br /> read in DeleteIndexEntryRoot") which checked different values in this<br /> same switch statement.