CVE-2025-39691

Q: What is the severity of CVE-2025-39691?

CVE-2025-39691 has a CVSS score of 7.8 (HIGH). This is a use-after-free vulnerability in the Linux kernel's buffer handling code that can lead to kernel memory corruption. It affects systems using the NTFS3 filesystem driver during mount operations. The vulnerability allows local attackers to potentially crash the system or escalate privileges.

7.8 HIGH

Denial of Service

📋 TL;DR

This is a use-after-free vulnerability in the Linux kernel's buffer handling code that can lead to kernel memory corruption. It affects systems using the NTFS3 filesystem driver during mount operations. The vulnerability allows local attackers to potentially crash the system or escalate privileges.

💻 Affected Systems

Products:

Linux Kernel

Versions: Kernel versions around 6.16.0-862.14.0.6.x86_64 and related versions with the vulnerable code

Operating Systems: Linux distributions using affected kernel versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using the NTFS3 filesystem driver. The vulnerability triggers during NTFS filesystem mount operations.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to system crash, or potential privilege escalation to root if combined with other vulnerabilities.

🟠

Likely Case

System crash or kernel panic during NTFS filesystem mount operations.

🟢

If Mitigated

No impact if patched or if NTFS3 driver is not used.

🌐 Internet-Facing: LOW - Requires local access to trigger.

🏢 Internal Only: MEDIUM - Local users or processes can trigger the vulnerability during NTFS mount operations.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access and ability to mount NTFS filesystems. The vulnerability is triggered during specific timing conditions in buffer handling.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Patched in kernel commits: 03b40bf5d0389ca23ae6857ee25789f0e0b47ce8, 042cf48ecf67f72c8b3846c7fac678f472712ff3, 3169edb8945c295cf89120fc6b2c35cfe3ad4c9e, 70a09115da586bf662c3bae9c0c4a1b99251fad9, 7375f22495e7cd1c5b3b5af9dcc4f6dffe34ce49

Vendor Advisory: https://git.kernel.org/stable/c/03b40bf5d0389ca23ae6857ee25789f0e0b47ce8

Restart Required: Yes

Instructions:

1. Update to a patched kernel version from your distribution vendor. 2. Reboot the system to load the new kernel. 3. Verify the fix is applied by checking kernel version.

🔧 Temporary Workarounds

Disable NTFS3 driver

linux

Prevent loading of the NTFS3 filesystem driver to avoid triggering the vulnerability

echo 'blacklist ntfs3' >> /etc/modprobe.d/blacklist-ntfs3.conf
update-initramfs -u
reboot

Restrict NTFS mount permissions

linux

Limit which users can mount NTFS filesystems

chmod 750 /bin/mount
chmod 750 /sbin/mount.ntfs3
setfacl -m u:root:rwx /bin/mount /sbin/mount.ntfs3

🧯 If You Can't Patch

Restrict local user access to systems with NTFS mounts
Monitor for NTFS mount attempts and system crashes

🔍 How to Verify

Check if Vulnerable:

Check kernel version and if NTFS3 module is loaded: uname -r && lsmod | grep ntfs3

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version is updated and check dmesg for absence of KASAN stack-out-of-bounds errors related to bh_read

📡 Detection & Monitoring

Log Indicators:

KASAN: stack-out-of-bounds errors in kernel logs
System crashes during NTFS mount operations
end_buffer_read_sync+0xe3/0x110 in stack traces

Network Indicators:

None - local vulnerability only

SIEM Query:

source="kernel" AND "KASAN: stack-out-of-bounds" AND "bh_read" OR "end_buffer_read_sync"

📊 Metadata

CVE ID: CVE-2025-39691

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

EPSS Score: 0.01% exploit probability (2.4th percentile)

Published: September 5, 2025

Last Updated: January 8, 2026

🔗 References

https://git.kernel.org/stable/c/03b40bf5d0389ca23ae6857ee25789f0e0b47ce8 Patch
https://git.kernel.org/stable/c/042cf48ecf67f72c8b3846c7fac678f472712ff3 Patch
https://git.kernel.org/stable/c/3169edb8945c295cf89120fc6b2c35cfe3ad4c9e Patch
https://git.kernel.org/stable/c/70a09115da586bf662c3bae9c0c4a1b99251fad9 Patch
https://git.kernel.org/stable/c/7375f22495e7cd1c5b3b5af9dcc4f6dffe34ce49 Patch
https://git.kernel.org/stable/c/90b5193edb323fefbee0e4e5bc39ed89dcc37719 Patch
https://git.kernel.org/stable/c/c58c6b532b7b69537cfd9ef701c7e37cdcf79dc4 Patch
https://git.kernel.org/stable/c/c5aa6ba1127307ab5dc3773eaf40d73a3423841f Patch
https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html Third Party Advisory,Mailing List
https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html Third Party Advisory,Mailing List

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable NTFS3 driver

Restrict NTFS mount permissions

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities