{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-45935", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-05-13T15:03:33.086Z", "datePublished": "2026-05-27T12:17:52.705Z", "dateUpdated": "2026-05-27T12:17:52.705Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-27T12:17:52.705Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Fix slab-out-of-bounds read in DeleteIndexEntryRoot\n\nIn the 'DeleteIndexEntryRoot' case of the 'do_action' function, the\nentry size ('esize') is retrieved from the log record without adequate\nbounds checking.\n\nSpecifically, the code calculates the end of the entry ('e2') using:\n e2 = Add2Ptr(e1, esize);\n\nIt then calculates the size for memmove using 'PtrOffset(e2, ...)',\nwhich subtracts the end pointer from the buffer limit. If 'esize' is\nmaliciously large, 'e2' exceeds the used buffer size. This results in\na negative offset which, when cast to size_t for memmove, interprets\nas a massive unsigned integer, leading to a heap buffer overflow.\n\nThis commit adds a check to ensure that the entry size ('esize') strictly\nfits within the remaining used space of the index header before performing\nmemory operations."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/ntfs3/fslog.c"], "versions": [{"version": "b46acd6a6a627d876898e1c84d3f84902264b445", "lessThan": "36c03f7f177b34d51f1cf1d2304b1074607bf4b0", "status": "affected", "versionType": "git"}, {"version": "b46acd6a6a627d876898e1c84d3f84902264b445", "lessThan": "b271c9cb85927210b1b799e55ee7f702d12b4336", "status": "affected", "versionType": "git"}, {"version": "b46acd6a6a627d876898e1c84d3f84902264b445", "lessThan": "a584b9d1059b29e97e17c919274e9adfb846f2a0", "status": "affected", "versionType": "git"}, {"version": "b46acd6a6a627d876898e1c84d3f84902264b445", "lessThan": "c065541b71b79874c83d418a9acd18ad5826339b", "status": "affected", "versionType": "git"}, {"version": "b46acd6a6a627d876898e1c84d3f84902264b445", "lessThan": "78942172d5bff4d4afed8674abc09cc560ce44a0", "status": "affected", "versionType": "git"}, {"version": "b46acd6a6a627d876898e1c84d3f84902264b445", "lessThan": "f3b437a4c3e022a1449658ae9f3dd34859894513", "status": "affected", "versionType": "git"}, {"version": "b46acd6a6a627d876898e1c84d3f84902264b445", "lessThan": "b2bc7c44ed1779fc9eaab9a186db0f0d01439622", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/ntfs3/fslog.c"], "versions": [{"version": "5.15", "status": "affected"}, {"version": "0", "lessThan": "5.15", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.202", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.165", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.128", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.75", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.14", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.4", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "5.15.202"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.1.165"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.6.128"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.12.75"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.18.14"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.19.4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/36c03f7f177b34d51f1cf1d2304b1074607bf4b0"}, {"url": "https://git.kernel.org/stable/c/b271c9cb85927210b1b799e55ee7f702d12b4336"}, {"url": "https://git.kernel.org/stable/c/a584b9d1059b29e97e17c919274e9adfb846f2a0"}, {"url": "https://git.kernel.org/stable/c/c065541b71b79874c83d418a9acd18ad5826339b"}, {"url": "https://git.kernel.org/stable/c/78942172d5bff4d4afed8674abc09cc560ce44a0"}, {"url": "https://git.kernel.org/stable/c/f3b437a4c3e022a1449658ae9f3dd34859894513"}, {"url": "https://git.kernel.org/stable/c/b2bc7c44ed1779fc9eaab9a186db0f0d01439622"}], "title": "fs/ntfs3: Fix slab-out-of-bounds read in DeleteIndexEntryRoot", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Fix slab-out-of-bounds read in DeleteIndexEntryRoot\n\nIn the 'DeleteIndexEntryRoot' case of the 'do_action' function, the\nentry size ('esize') is retrieved from the log record without adequate\nbounds checking.\n\nSpecifically, the code calculates the end of the entry ('e2') using:\n e2 = Add2Ptr(e1, esize);\n\nIt then calculates the size for memmove using 'PtrOffset(e2, ...)',\nwhich subtracts the end pointer from the buffer limit. If 'esize' is\nmaliciously large, 'e2' exceeds the used buffer size. This results in\na negative offset which, when cast to size_t for memmove, interprets\nas a massive unsigned integer, leading to a heap buffer overflow.\n\nThis commit adds a check to ensure that the entry size ('esize') strictly\nfits within the remaining used space of the index header before performing\nmemory operations."}], "id": "CVE-2026-45935", "lastModified": "2026-05-27T14:48:03.013", "metrics": {}, "published": "2026-05-27T14:17:09.613", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/36c03f7f177b34d51f1cf1d2304b1074607bf4b0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/78942172d5bff4d4afed8674abc09cc560ce44a0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a584b9d1059b29e97e17c919274e9adfb846f2a0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b271c9cb85927210b1b799e55ee7f702d12b4336"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b2bc7c44ed1779fc9eaab9a186db0f0d01439622"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c065541b71b79874c83d418a9acd18ad5826339b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f3b437a4c3e022a1449658ae9f3dd34859894513"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{}

{}