CVE-2026-53027— fs/ntfs3: fix missing run load for vcn0 in attr_data_get_block_locked()
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-53027
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
fs/ntfs3: fix missing run load for vcn0 in attr_data_get_block_locked()
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: fix missing run load for vcn0 in attr_data_get_block_locked() When a compressed or sparse attribute has its clusters frame-aligned, vcn is rounded down to the frame start using cmask, which can result in vcn != vcn0. In this case, vcn and vcn0 may reside in different attribute segments. The code already handles the case where vcn is in a different segment by loading its runs before allocation. However, it fails to load runs for vcn0 when vcn0 resides in a different segment than vcn. This causes run_lookup_entry() to return SPARSE_LCN for vcn0 since its segment was never loaded into the in-memory run list, triggering the WARN_ON(1). Fix this by adding a missing check for vcn0 after the existing vcn segment check. If vcn0 falls outside the current segment range [svcn, evcn1), find and load the attribute segment containing vcn0 before performing the run lookup. The following scenario triggers the bug: attr_data_get_block_locked() vcn = vcn0 & cmask <- vcn != vcn0 after frame alignment load runs for vcn segment <- vcn0 segment not loaded! attr_allocate_clusters() <- allocation succeeds run_lookup_entry(vcn0) <- vcn0 not in run -> SPARSE_LCN WARN_ON(1) <- bug fires here!
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-53027
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-53027
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-53027 (1)
Other References for CVE-2026-53027 (1)
Same Patch Batch · Linux · 2026-06-24 · 219 CVEs total
| CVE-2026-52980 | sched/fair: Clear rel_deadline when initializing forked entities | |
| CVE-2026-52993 | tipc: fix double-free in tipc_buf_append() | |
| CVE-2026-52991 | sched/psi: fix race between file release and pressure write | |
| CVE-2026-52990 | fsnotify: fix inode reference leak in fsnotify_recalc_mask() | |
| CVE-2026-52988 | netfilter: nf_tables: join hook list via splice_list_rcu() in commit phase | |
| CVE-2026-52989 | nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers | |
| CVE-2026-52987 | drm/amdgpu: avoid double drm_exec_fini() in userq validate | |
| CVE-2026-52986 | netfilter: nf_conntrack_sip: don't use simple_strtoul | |
| CVE-2026-52985 | netdevsim: zero initialize struct iphdr in dummy sk_buff | |
| CVE-2026-52984 | net/sched: netem: fix queue limit check to include reordered packets | |
| CVE-2026-52982 | net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit() | |
| CVE-2026-52983 | net: airoha: fix BQL imbalance in TX path | |
| CVE-2026-52981 | neigh: let neigh_xmit take skb ownership | |
| CVE-2026-52979 | net: psp: check for device unregister when creating assoc | |
| CVE-2026-52968 | KVM: s390: pci: fix GAIT table indexing due to double-scaling pointer arithmetic | |
| CVE-2026-52972 | crypto: af_alg - Cap AEAD AD length to 0x80000000 | |
| CVE-2026-52970 | netfilter: nft_ct: fix missing expect put in obj eval | |
| CVE-2026-52969 | KVM: Reject wrapped offset in kvm_reset_dirty_gfn() | |
| CVE-2026-52971 | net: ena: PHC: Fix potential use-after-free in get_timestamp | |
| CVE-2026-52967 | smb/client: fix possible infinite loop and oob read in symlink_data() |
Showing top 20 of 219 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: Linux
- CVE-2026-53277
KVM: arm64: Take the SRCU lock for page table walks in fault - CVE-2026-53276
Bluetooth: ISO: Fix a use-after-free of the hci_conn pointer - CVE-2026-53275
ipv6: mcast: Fix use-after-free when processing MLD queries - CVE-2026-53274
net/smc: fix sleep-inside-lock in __smc_setsockopt() causing - CVE-2026-53273
tee: optee: prevent use-after-free when the client exits bef
Same vendor: Linux
- CVE-2026-53277
KVM: arm64: Take the SRCU lock for page table walks in fault - CVE-2026-53276
Bluetooth: ISO: Fix a use-after-free of the hci_conn pointer - CVE-2026-53275
ipv6: mcast: Fix use-after-free when processing MLD queries - CVE-2026-53274
net/smc: fix sleep-inside-lock in __smc_setsockopt() causing - CVE-2026-53273
tee: optee: prevent use-after-free when the client exits bef
V. Comments for CVE-2026-53027
No comments yet