{"id":"CVE-2025-71067","summary":"ntfs: set dummy blocksize to read boot_block when mounting","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nntfs: set dummy blocksize to read boot_block when mounting\n\nWhen mounting, sb-\u003es_blocksize is used to read the boot_block without\nbeing defined or validated. Set a dummy blocksize before attempting to\nread the boot_block.\n\nThe issue can be triggered with the following syz reproducer:\n\n  mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./file1\\x00', 0x0)\n  r4 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040), 0x121403, 0x0)\n  ioctl$FS_IOC_SETFLAGS(r4, 0x40081271, &(0x7f0000000980)=0x4000)\n  mount(&(0x7f0000000140)=@nullb, &(0x7f0000000040)='./cgroup\\x00',\n        &(0x7f0000000000)='ntfs3\\x00', 0x2208004, 0x0)\n  syz_clone(0x88200200, 0x0, 0x0, 0x0, 0x0, 0x0)\n\nHere, the ioctl sets the bdev block size to 16384. During mount,\nget_tree_bdev_flags() calls sb_set_blocksize(sb, block_size(bdev)),\nbut since block_size(bdev) \u003e PAGE_SIZE, sb_set_blocksize() leaves\nsb-\u003es_blocksize at zero.\n\nLater, ntfs_init_from_boot() attempts to read the boot_block while\nsb-\u003es_blocksize is still zero, which triggers the bug.\n\n[almaz.alexandrovich@paragon-software.com: changed comment style, added\nreturn value handling]","modified":"2026-03-26T04:18:23.344602Z","published":"2026-01-13T15:31:22.585Z","related":["MGASA-2026-0017","MGASA-2026-0018"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/71xxx/CVE-2025-71067.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0c9327c8abf9c8f046e45008bb43d94d8ee5c6c5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/44a38eb4f7876513db5a1bccde74de9bc4389d43"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4fff9a625da958a33191c8553a03283786f9f417"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b3c151fe8f543f1a0b8b5df16ce5d97afa5ec85a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d1693a7d5a38acf6424235a6070bcf5b186a360d"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/71xxx/CVE-2025-71067.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-71067"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"28861e3bbd9e7ac4cd9c811aad71b4d116e27930"},{"fixed":"0c9327c8abf9c8f046e45008bb43d94d8ee5c6c5"},{"fixed":"44a38eb4f7876513db5a1bccde74de9bc4389d43"},{"fixed":"4fff9a625da958a33191c8553a03283786f9f417"},{"fixed":"b3c151fe8f543f1a0b8b5df16ce5d97afa5ec85a"},{"fixed":"d1693a7d5a38acf6424235a6070bcf5b186a360d"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-71067.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.15.0"},{"fixed":"6.1.167"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.120"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.64"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.3"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-71067.json"}}],"schema_version":"1.7.5"}