CVE-2025-68365: ntfs3 Zeroes Allocation to Fix KMSAN in Linux

A new Linux kernel stability and correctness patch was assigned CVE‑2025‑68365 and describes a narrow but important fix in the ntfs3 driver: allocated memory used by ntfs3 was not always zeroed before use, and the upstream remedy is to switch allocation calls from kmem_cache_alloc (or equivalent wrappers) to the zeroing variant kmem_cache_zalloc so sanitizer-reported uninitialized values are eliminated.

Background / Overview​

The Linux in‑kernel NTFS implementation (ntfs3) provides native NTFS read/write support in the kernel and therefore touches highly privileged code paths that parse on‑disk metadata and interact with the VFS and block layer. Kernel Memory Sanitizer (KMSAN) tooling reported multiple uninitialized reads originating from ntfs3 functions — notably in ntfs_read_hdr (ntfsreadhdr) and bcmp — indicating the driver was reading memory that had been allocated but not explicitly initialized. The root cause, as recorded in public vulnerability imports, is an allocation via a __getname wrapper which ultimately called kmem_cache_alloc; the patch changes that allocation to a zero‑initializing variant (kmem_cache_zalloc) so bytes are deterministic when first used. This class of fix is about defensive correctness rather than a direct privilege escalation exploit: uninitialized memory reads are flagged by sanitizers because they can lead to indeterminate behavior, leaking kernel memory or producing incorrect logical decisions when code inspects now‑garbage bytes. While that outcome is not automatically a remote exploit, the kernel context and the possibility of crafted NTFS images being ingested by privileged services mean operators should treat this as a material kernel correctness vulnerability to be backported and patched promptly.

---

What happened technically​

The sanitizer trace and root cause​

KMSAN identified reads of heap memory that had not been zeroed before use. The problematic allocation flow used a name‑buffer helper (exposed via __getname wrappers) backed by a slab cache allocation (kmem_cache_alloc. Because kmem_cache_alloc returns uninitialized memory, subsequent code that compares, copies, or inspects that buffer saw indeterminate values. The straightforward upstream change replaces the non‑zeroing allocation with a zeroing allocation (kmem_cache_zalloc or kmem_cache_alloc_node with __GFP_ZERO equivalence), ensuring the buffer begins in a defined state.

Why switching to kmem_cache_zalloc is the right fix​

Zeroing the freshly allocated slab memory is the simplest conservative correction: if bytes are supposed to be populated by disk reads or explicit initialization later, leaving any leftover contents as zeros is the safest semantic — zeros usually represent "no data" or an empty value that does not spuriously change control flow. This approach avoids brittle assumptions about slab contents and eliminates a class of undefined behavior that automated fuzzers and sanitizers flag. The upstream kernel tree accepted a minimal-change patch that localizes the risk surface and is straightforward to backport.

---

Who and what are affected​

• Component: Linux kernel ntfs3 driver (CONFIG_NTFS3_FS / module ntfs3).
• Attack surface: Local or image‑supply vectors — i.e., any host that mounts or loop‑mounts NTFS volumes, inspects NTFS images, or processes third‑party NTFS images in privileged contexts. That includes virtualization host tooling, CI/CD image ingestion pipelines, backup appliances, forensic systems, desktop/laptop endpoints that mount USB/Windows disks, and cloud images that embed the ntfs3 module.
• Distribution exposure: Multiple public vulnerability trackers and downstream packaging tools have imported CVE‑2025‑68365; Debian and other distributions list kernel package ranges that may be affected and show where backports are appearing. Operators should treat kernels that include upstream ntfs3 code prior to the applied commits as in‑scope until the distribution releases a patched package.

---

Practical risk and exploitability assessment​

• Exploitability: Low for remote, unauthenticated network attacks. The practical trigger requires the kernel to parse crafted NTFS metadata — meaning an attacker must get the kernel or a privileged process to mount or read a malicious NTFS image. That happens readily in some operational contexts (automated image ingestion, virtualization hosts, or careless desktop users).
• Potential impacts: Indeterminate read results can cause kernel logic errors, incorrect comparisons, or even memory exposure depending on how the uninitialized bytes are used. The immediate, most realistic impacts are denial‑of‑service (kernel oops/panic), information leakage of kernel memory under some conditions, and incorrect filesystem behavior leading to data integrity problems. While remote code execution is not implied directly by this fix, kernel memory issues have historically been chained with other primitives to achieve escalations, so defenders should treat the vulnerability conservatively.
• Likelihood in the wild: Initially low, given the need for crafted NTFS images and the lack of public PoC at disclosure, but non‑zero especially where automated mounts or multi‑tenant image processing exists. Prior filesystem bugs that were initially judged low‑impact have later been weaponized in multi‑stage exploits; this CVE should be patched accordingly.

---

The patch, verification and vendor tracking​

Multiple canonical vulnerability aggregators and OSV imports show the same upstream remedy and reference kernel commits; those entries explicitly note the replacement of non‑zeroing allocation calls with zeroing equivalents and the elimination of KMSAN warnings in the suspect codepaths. The primary references point to the stable kernel commits that implement the change, and OSV/CVE imports were published on December 24, 2025. Because some upstream commit pages on git.kernel.org may be gated or return access errors in certain automated fetches, operators should validate from their vendor or distribution security tracker in addition to the upstream commit references. Aggregators such as OpenCVE, CVEDetails, and distro security trackers already reflect the CVE and list the corresponding kernel commit IDs where available. When vendor advisories are published, they will map the upstream commit(s) to package versions and recommended updates.

---

Immediate mitigation and remediation guidance​

Recommended immediate actions (operational checklist)​

• Inventory: Find systems that mount NTFS or may process NTFS images programmatically (commands to help with checks are well‑known: check whether the ntfs3 module exists via modinfo ntfs3, determine whether it's loaded with lsmod | grep ntfs3, and inspect compiled kernel config with zgrep CONFIG_NTFS3_FS /proc/config.gz). Validate on running hosts before assuming absence.
• Prioritize: Give high priority to virtualization hosts, image ingestion servers, backup and restore appliances, CI runners, and multi‑tenant infrastructure that might accept third‑party images. Desktop endpoints and single‑tenant machines that rarely mount untrusted media are lower priority but not exempt.
• Patch & Reboot: Apply patched kernel packages from your distribution or vendor as soon as they are available and reboot hosts into the updated kernel. Confirm package changelogs reference the upstream commit ID or CVE.
• Short‑term mitigations if patching is delayed:
• Prevent mounting of untrusted NTFS images on critical hosts.
• If ntfs3 is modular (not built‑in), blacklist the ntfs3 module (add “blacklist ntfs3” to /etc/modprobe.d/) and rebuild initramfs where necessary; this prevents module loading but does not affect kernels with built‑in ntfs3.
• Isolate image‑processing or image‑ingestion workflows in disposable VMs or sandboxes that can be updated or rebuilt quickly.
• Validate and monitor: After applying updates, verify uname -r matches the expected patched kernel and monitor kernel logs (dmesg, journalctl) for any residual oopses or ntfs3 traces. Add detection rules for ntfs3-related kernel messages.

Why blacklisting is only a stopgap​

Blacklisting the module is effective only if ntfs3 is built as a loadable module. Some kernels include ntfs3 built‑in; in those builds blacklisting cannot prevent the code from being present or executed. Blacklisting also may create operational friction for legitimate NTFS usage, so it is best used only as a temporary compensating control while you schedule a kernel update.

---

Detection, hunting and incident response​

• Look for kernel oops/panic entries referencing ntfs3 symbols or call chains that include ntfs_read_hdr, ntfsreadhdr, or bcmp from ntfs3 codepaths. Kernel logs are the primary immediate indicator.
• Correlate image ingestion logs (CI pipelines, VM import logs, automount events) with kernel messages — identify images that were mounted or processed in a short window before the observed kernel errors.
• Preserve suspect images and capture volatile memory if exploitation is suspected; kernel panics can destroy ephemeral evidence so if you suspect a targeted attack preserve artifacts before rebooting.
• If you detect unexpected kernel memory exposure or repeated uninitialized reads, consider isolating the host and engaging vendor or upstream kernel support for assisted analysis.

---

Why this fix matters — strengths and limitations​

Strengths​

• The upstream change is surgical and minimal: zeroing allocated buffers is a conservative corrective action that eliminates a class of undefined behavior without changing on‑disk NTFS semantics or complex driver logic. Minimal changes reduce regression risk and speed backporting into stable kernel branches.
• The fix addresses the issue observed by robust sanitizer tooling (KMSAN), which means the problem was reproducible by instrumentation and therefore straightforward to reason about and test. This improves confidence in the correctness of both the problem identification and the remediation.

Limitations and remaining risks​

• Distribution and vendor lag: downstream vendors and embedded/OEM images may take longer to ship backports. Embedded appliances and slow‑release vendor kernels are typical places where filesystem fixes remain vulnerable longer than mainstream distributions. Operators of such systems must escalate to vendors for explicit backports or plan compensating mitigations.
• Local/image‑supply threat model: the vulnerability is still exploitable only where the attacker can supply or cause parsing of crafted NTFS metadata. That does not make it benign; many production environments automatically ingest external images. A single crafted image supplied to a CI runner or virtualization host can have an outsized operational impact.
• Availability vs confidentiality/integrity: the immediate practical outcomes center on availability (doS, kernel oops) and correctness; however, any kernel memory exposure or misuse could be chained into more serious outcomes depending on additional weaknesses or poorly mitigated environments.

---

Recommended rollout and testing strategy​

• Discovery & inventory: Enumerate which hosts have ntfs3 support (module present or compiled in), and identify image‑ingestion services or automation that may mount images or external media. Use configuration management tools to sweep the estate.
• Patch pilot: Stage kernel updates in a pilot ring of non‑critical hosts that mirror production workloads. Reboot and run storage‑intensive integration tests and checks for kernel stability.
• Full deployment: Roll the patched kernels across prioritized classes (virtualization hosts and multi‑tenant services first, then file servers and image‑processing nodes).
• Post‑deploy validation: Confirm packages and kernel changelogs reference the upstream commit or CVE; monitor kernel logs for residual symptoms; maintain a watch window for a few days for unusual kernel messages.
• Vendor follow‑through: For appliances and OEM systems outside your direct patch control, open support tickets requesting explicit backports and timelines; where available, use vendor VEX/CSAF outputs to validate their mapping.

---

A note about vendor pages and the MSRC link the user reported​

The user-supplied MSRC (Microsoft Security Response Center) vulnerability page URL appears to return a "not found" or unavailable message. That is not unusual early in a disclosure cycle: a vendor may not yet have mapped the upstream CVE to product pages, or a product mapping may not include Microsoft products if the affected code is not present in their particular kernel builds. Independent aggregators (OSV, OpenCVE, Debian security tracker, CVEDetails) already list CVE‑2025‑68365 and reference upstream kernel commits that perform the allocation zeroing change; use your distribution security tracker and vendor VEX/CSAF attestations to confirm product mappings for Microsoft‑published artifacts (for example, Azure Linux image attestation) rather than relying solely on a single vendor page that may not yet be populated.

---

How to verify on a host (quick commands)​

• Check whether ntfs3 is present in the running kernel:
• sudo modinfo ntfs3 — returns module metadata if present.
• lsmod | grep ntfs3 — shows if the module is currently loaded.
• Inspect kernel configuration for ntfs3:
• zgrep CONFIG_NTFS3_FS /proc/config.gz — shows whether ntfs3 is built as module (=m) or built‑in (=y).
• After applying vendor updates:
• uname -r — confirm the host is running the patched kernel.
• Check package changelog or kernel package release notes for the CVE or upstream commit ID.
  These checks are standard and appear in multiple operational advisories for ntfs3 CVEs.

---

Long‑term defensive lessons for administrators​

• Treat filesystem parsers as high‑value attack surfaces: they run in kernel context and parse complex on‑disk encodings. Any automated ingestion of third‑party images or external media should be architected with least privilege and isolation.
• Run sanitizer tooling and fuzzing on development builds where feasible; many of the CVEs in modern kernel history were discovered by automated tools like syzbot and KMSAN-based instrumentation.
• Maintain a rapid‑patch process for kernel updates that includes staging, smoke testing, and controlled reboots for critical infrastructure. The cost of an emergency rollback or replacement is usually higher than planned maintenance windows for kernel updates.
• Leverage vendor VEX/CSAF artifacts where available to map upstream CVEs to vendor packages and product images; do not assume product pages will always be populated immediately.

---

Conclusion​

CVE‑2025‑68365 is a focused correctness vulnerability in the kernel’s ntfs3 driver: sanitizer tooling observed uninitialized-value reads originating from memory allocated by __getname/kmem_cache_alloc that was later used without being zeroed. The upstream fix replaces those allocations with their zeroing counterparts, eliminating the KMSAN warnings and removing a deterministic source of undefined behavior. While the risk model is primarily local/image‑supply rather than remote network exploitation, the privileged kernel context and the operational realities of automated image ingestion and multi‑tenant hosts make this a pragmatic, actionable fix for administrators. Operators should inventory ntfs3 exposure, prioritize virtualization and image‑processing infrastructure for patching, apply distribution kernel updates once vendor advisories are released, and use short‑term mitigations (module blacklisting, sandboxing image processing) where patching cannot be performed immediately. For systems that must remain available while waiting for vendor backports, isolate image‑processing pipelines, avoid mounting untrusted NTFS media on shared hosts, and monitor kernel logs for ntfs3‑related oopses and KMSAN traces. The upstream patch is intentionally small and conservative; it protects kernel correctness with minimal risk of regression, but the window between upstream commit and vendor rollout is the practical exposure window administrators must manage.

---

Source: MSRC Security Update Guide - Microsoft Security Response Center