CVE-2025-40313 in Linux
Summary
by MITRE • 12/08/2025
In the Linux kernel, the following vulnerability has been resolved:
ntfs3: pretend $Extend records as regular files
Since commit af153bb63a33 ("vfs: catch invalid modes in may_open()") requires any inode be one of S_IFDIR/S_IFLNK/S_IFREG/S_IFCHR/S_IFBLK/ S_IFIFO/S_IFSOCK type, use S_IFREG for $Extend records.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/23/2026
The vulnerability CVE-2025-40313 affects the Linux kernel's ntfs3 filesystem driver and represents a type confusion issue that arises from improper inode type handling. This flaw occurs within the virtual filesystem layer where the kernel enforces strict inode type validation through the may_open() function. The ntfs3 driver is responsible for handling NTFS filesystems on Linux systems, and this vulnerability specifically impacts how the driver manages $Extend records which are special metadata structures used by NTFS for storing extended attributes and other filesystem metadata. When processing these records, the kernel fails to properly categorize them according to the expected inode type constraints, creating a potential security risk.
The technical implementation flaw stems from a commit that introduced stricter validation in the VFS layer requiring inodes to be one of the standard file types including directories, symbolic links, regular files, character devices, block devices, named pipes, or sockets. The ntfs3 driver, in its handling of $Extend records, does not properly account for this validation requirement, leading to a situation where these special filesystem records are not correctly classified. The solution implemented in the fix involves explicitly setting the inode type to S_IFREG for $Extend records, effectively treating them as regular files during the validation process. This approach resolves the immediate type mismatch but introduces potential implications for how extended attributes and metadata are handled within the filesystem.
From an operational impact perspective, this vulnerability could enable malicious actors to exploit the type confusion in ways that might allow for privilege escalation or denial of service conditions. The ntfs3 filesystem driver is commonly used in environments where Windows interoperability is required, including enterprise systems that mount NTFS volumes for data exchange or backup operations. Attackers could potentially leverage this flaw to manipulate how filesystem metadata is processed, possibly gaining unauthorized access to extended attributes or causing the filesystem driver to behave unpredictably. The vulnerability is particularly concerning in multi-user environments where different users might access the same NTFS volumes, as it could create opportunities for privilege escalation attacks that align with techniques described in the ATT&CK framework under file and directory permissions modification.
The fix for CVE-2025-40313 demonstrates a defensive programming approach that prioritizes type safety within the kernel's VFS layer. By explicitly setting $Extend records to S_IFREG type, the implementation ensures compliance with the kernel's inode validation requirements while maintaining functional compatibility with existing NTFS filesystem operations. This solution addresses a CWE-120 vulnerability pattern related to improper type handling in kernel code, where the incorrect classification of filesystem objects can lead to security implications. The remediation follows established kernel security practices by ensuring that all inode operations adhere to the expected type constraints, thereby preventing potential exploitation paths that could arise from type confusion attacks. Organizations should prioritize applying this fix to systems running affected kernel versions, particularly those with active NTFS filesystem usage, as the vulnerability represents a potential entry point for privilege escalation in environments where NTFS interoperability is required.