{"api_version":"1","generated_at":"2026-06-27T07:37:39+00:00","cve":"CVE-2026-53027","urls":{"html":"https://cve.report/CVE-2026-53027","api":"https://cve.report/api/cve/CVE-2026-53027.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-53027","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-53027"},"summary":{"title":"fs/ntfs3: fix missing run load for vcn0 in attr_data_get_block_locked()","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: fix missing run load for vcn0 in attr_data_get_block_locked()\n\nWhen a compressed or sparse attribute has its clusters frame-aligned,\nvcn is rounded down to the frame start using cmask, which can result\nin vcn != vcn0. In this case, vcn and vcn0 may reside in different\nattribute segments.\n\nThe code already handles the case where vcn is in a different segment\nby loading its runs before allocation. However, it fails to load runs\nfor vcn0 when vcn0 resides in a different segment than vcn. This causes\nrun_lookup_entry() to return SPARSE_LCN for vcn0 since its segment was\nnever loaded into the in-memory run list, triggering the WARN_ON(1).\n\nFix this by adding a missing check for vcn0 after the existing vcn\nsegment check. If vcn0 falls outside the current segment range\n[svcn, evcn1), find and load the attribute segment containing vcn0\nbefore performing the run lookup.\n\nThe following scenario triggers the bug:\n  attr_data_get_block_locked()\n    vcn = vcn0 & cmask        <- vcn != vcn0 after frame alignment\n    load runs for vcn segment <- vcn0 segment not loaded!\n    attr_allocate_clusters()  <- allocation succeeds\n    run_lookup_entry(vcn0)    <- vcn0 not in run -> SPARSE_LCN\n    WARN_ON(1)                <- bug fires here!","state":"PUBLISHED","assigner":"Linux","published_at":"2026-06-24 17:17:14","updated_at":"2026-06-24 17:17:14"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/d7ea8495fd307b58f8867acd81a1b40075b1d3ba","name":"https://git.kernel.org/stable/c/d7ea8495fd307b58f8867acd81a1b40075b1d3ba","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/2b4ae1ce613ade8a7e118fba4a5a77cd23e97e54","name":"https://git.kernel.org/stable/c/2b4ae1ce613ade8a7e118fba4a5a77cd23e97e54","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-53027","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-53027","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected c380b52f6c5702cc4bdda5e6d456d6c19a201a0b 2b4ae1ce613ade8a7e118fba4a5a77cd23e97e54 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected c380b52f6c5702cc4bdda5e6d456d6c19a201a0b d7ea8495fd307b58f8867acd81a1b40075b1d3ba git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 406a037d93b769bca248476bd14bbe548dc1ec35 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.1.132 6.2 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.2","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.2 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0.10 7.0.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.1 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"53027","cve":"CVE-2026-53027","epss":"0.001550000","percentile":"0.050380000","score_date":"2026-06-26","updated_at":"2026-06-27 00:07:47"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["fs/ntfs3/attrib.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"2b4ae1ce613ade8a7e118fba4a5a77cd23e97e54","status":"affected","version":"c380b52f6c5702cc4bdda5e6d456d6c19a201a0b","versionType":"git"},{"lessThan":"d7ea8495fd307b58f8867acd81a1b40075b1d3ba","status":"affected","version":"c380b52f6c5702cc4bdda5e6d456d6c19a201a0b","versionType":"git"},{"status":"affected","version":"406a037d93b769bca248476bd14bbe548dc1ec35","versionType":"git"},{"lessThan":"6.2","status":"affected","version":"6.1.132","versionType":"semver"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["fs/ntfs3/attrib.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"6.2"},{"lessThan":"6.2","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"7.0.*","status":"unaffected","version":"7.0.10","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.1","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0.10","versionStartIncluding":"6.2","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.1","versionStartIncluding":"6.2","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.132","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: fix missing run load for vcn0 in attr_data_get_block_locked()\n\nWhen a compressed or sparse attribute has its clusters frame-aligned,\nvcn is rounded down to the frame start using cmask, which can result\nin vcn != vcn0. In this case, vcn and vcn0 may reside in different\nattribute segments.\n\nThe code already handles the case where vcn is in a different segment\nby loading its runs before allocation. However, it fails to load runs\nfor vcn0 when vcn0 resides in a different segment than vcn. This causes\nrun_lookup_entry() to return SPARSE_LCN for vcn0 since its segment was\nnever loaded into the in-memory run list, triggering the WARN_ON(1).\n\nFix this by adding a missing check for vcn0 after the existing vcn\nsegment check. If vcn0 falls outside the current segment range\n[svcn, evcn1), find and load the attribute segment containing vcn0\nbefore performing the run lookup.\n\nThe following scenario triggers the bug:\n  attr_data_get_block_locked()\n    vcn = vcn0 & cmask        <- vcn != vcn0 after frame alignment\n    load runs for vcn segment <- vcn0 segment not loaded!\n    attr_allocate_clusters()  <- allocation succeeds\n    run_lookup_entry(vcn0)    <- vcn0 not in run -> SPARSE_LCN\n    WARN_ON(1)                <- bug fires here!"}],"providerMetadata":{"dateUpdated":"2026-06-24T16:29:35.740Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/2b4ae1ce613ade8a7e118fba4a5a77cd23e97e54"},{"url":"https://git.kernel.org/stable/c/d7ea8495fd307b58f8867acd81a1b40075b1d3ba"}],"title":"fs/ntfs3: fix missing run load for vcn0 in attr_data_get_block_locked()","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-53027","datePublished":"2026-06-24T16:29:35.740Z","dateReserved":"2026-06-09T07:44:35.379Z","dateUpdated":"2026-06-24T16:29:35.740Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-24 17:17:14","lastModifiedDate":"2026-06-24 17:17:14","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"53027","Ordinal":"1","Title":"fs/ntfs3: fix missing run load for vcn0 in attr_data_get_block_l","CVE":"CVE-2026-53027","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"53027","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: fix missing run load for vcn0 in attr_data_get_block_locked()\n\nWhen a compressed or sparse attribute has its clusters frame-aligned,\nvcn is rounded down to the frame start using cmask, which can result\nin vcn != vcn0. In this case, vcn and vcn0 may reside in different\nattribute segments.\n\nThe code already handles the case where vcn is in a different segment\nby loading its runs before allocation. However, it fails to load runs\nfor vcn0 when vcn0 resides in a different segment than vcn. This causes\nrun_lookup_entry() to return SPARSE_LCN for vcn0 since its segment was\nnever loaded into the in-memory run list, triggering the WARN_ON(1).\n\nFix this by adding a missing check for vcn0 after the existing vcn\nsegment check. If vcn0 falls outside the current segment range\n[svcn, evcn1), find and load the attribute segment containing vcn0\nbefore performing the run lookup.\n\nThe following scenario triggers the bug:\n  attr_data_get_block_locked()\n    vcn = vcn0 & cmask        <- vcn != vcn0 after frame alignment\n    load runs for vcn segment <- vcn0 segment not loaded!\n    attr_allocate_clusters()  <- allocation succeeds\n    run_lookup_entry(vcn0)    <- vcn0 not in run -> SPARSE_LCN\n    WARN_ON(1)                <- bug fires here!","Type":"Description","Title":"fs/ntfs3: fix missing run load for vcn0 in attr_data_get_block_l"}]}}}