CVE-2026-45935

Severity CVSS v4.0:
Pending analysis
Type:
CWE-125 Out-of-bounds Read
Publication date:
27/05/2026
Last modified:
24/06/2026

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs/ntfs3: Fix slab-out-of-bounds read in DeleteIndexEntryRoot<br /> <br /> In the &amp;#39;DeleteIndexEntryRoot&amp;#39; case of the &amp;#39;do_action&amp;#39; function, the<br /> entry size (&amp;#39;esize&amp;#39;) is retrieved from the log record without adequate<br /> bounds checking.<br /> <br /> Specifically, the code calculates the end of the entry (&amp;#39;e2&amp;#39;) using:<br /> e2 = Add2Ptr(e1, esize);<br /> <br /> It then calculates the size for memmove using &amp;#39;PtrOffset(e2, ...)&amp;#39;,<br /> which subtracts the end pointer from the buffer limit. If &amp;#39;esize&amp;#39; is<br /> maliciously large, &amp;#39;e2&amp;#39; exceeds the used buffer size. This results in<br /> a negative offset which, when cast to size_t for memmove, interprets<br /> as a massive unsigned integer, leading to a heap buffer overflow.<br /> <br /> This commit adds a check to ensure that the entry size (&amp;#39;esize&amp;#39;) strictly<br /> fits within the remaining used space of the index header before performing<br /> memory operations.

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.15 (including) 5.15.202 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 6.1.165 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.6.128 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.12.75 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (including) 6.18.14 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.19 (including) 6.19.4 (excluding)