CVE-2025-68365
📋 TL;DR
This CVE describes an uninitialized memory vulnerability in the Linux kernel's NTFS3 filesystem driver. When reading NTFS headers, the driver uses memory allocated by __getname() without proper initialization, potentially exposing kernel memory contents. This affects Linux systems using the NTFS3 driver to mount or access NTFS filesystems.
💻 Affected Systems
- Linux kernel with NTFS3 driver
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel memory disclosure could leak sensitive information including cryptographic keys, process memory, or other privileged data to userspace applications.
Likely Case
Information disclosure of uninitialized kernel memory to userspace applications accessing NTFS filesystems, potentially revealing system state or previously freed data.
If Mitigated
With proper access controls and limited NTFS usage, impact is minimal as it requires filesystem access and doesn't provide direct privilege escalation.
🎯 Exploit Status
Exploitation requires local access and ability to trigger NTFS header reads. KMSAN detection suggests this was found through fuzzing/sanitization rather than active exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Linux kernel versions containing the fix commits referenced in the CVE
Vendor Advisory: https://git.kernel.org/stable/c/192e8ce302f14ac66259231dd10cede19858d742
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix commits. 2. Reboot system to load patched kernel. 3. Verify NTFS3 driver is updated.
🔧 Temporary Workarounds
Disable NTFS3 driver
linuxPrevent loading of the vulnerable NTFS3 driver module
echo 'blacklist ntfs3' >> /etc/modprobe.d/blacklist-ntfs3.conf
rmmod ntfs3
Use alternative NTFS driver
linuxUse NTFS-3G userspace driver instead of kernel NTFS3 driver
apt-get install ntfs-3g
mount -t ntfs-3g /dev/sdX /mnt/ntfs
🧯 If You Can't Patch
- Avoid mounting NTFS filesystems using the NTFS3 driver
- Restrict access to users who might trigger the vulnerability through NTFS operations
🔍 How to Verify
Check if Vulnerable:
Check if NTFS3 driver is loaded: lsmod | grep ntfs3. If loaded and kernel version is before fix commits, system may be vulnerable.Check Version:
uname -rVerify Fix Applied:
Check kernel version includes fix commits: uname -r and verify against patched versions. Ensure NTFS3 driver version matches patched kernel.📡 Detection & Monitoring
Log Indicators:
- Kernel logs showing KMSAN warnings about uninitialized values in ntfs_read_hdr or bcmp
- System logs showing NTFS3 driver loading or NTFS mount operations
Network Indicators:
- Not applicable - local vulnerability
SIEM Query:
Not applicable for network detection. Monitor for kernel panic logs or KMSAN warnings related to NTFS3.🔗 References
- https://git.kernel.org/stable/c/192e8ce302f14ac66259231dd10cede19858d742
- https://git.kernel.org/stable/c/7d52c592cf53f5bb7163967edc01d2d7d80de44a
- https://git.kernel.org/stable/c/a58e29849aef8d26554a982989a2190b49aaf8ed
- https://git.kernel.org/stable/c/a8a3ca23bbd9d849308a7921a049330dc6c91398
- https://git.kernel.org/stable/c/bdf38063fd15f2fc7361dc0b5d3c259741eab835
- https://git.kernel.org/stable/c/f7728057220cabd720e27e46097edad48e5bd728
