Cyber Resilience

CVE-2026-31716

HighUpdated

Published: 01 May 2026

Published
01 May 2026
Modified
01 June 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0001 2.8th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31716 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-31716 is a vulnerability in the Linux kernel's ntfs3 filesystem driver, specifically in the journal-replay file record check within check_file_record(). The function validates the rec->total field against the record size but fails to validate rec->used, which is read from disk and used by do_action() handlers (such as DeleteAttribute, CreateAttribute, and change_attr_size) to compute memmove lengths. If rec->used is smaller than a validated attribute's offset or larger than the record size, subtractions underflow, enabling excessive memory copies into a 4KB buffer.

Exploitation requires local access (AV:L) with low complexity (AC:L), no privileges (PR:N), and user interaction (UI:R), such as mounting a crafted corrupted NTFS filesystem. A successful attack can achieve high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), with a CVSS v3.1 base score of 7.8, potentially leading to kernel memory corruption, arbitrary code execution, or denial of service via the buffer overflow during journal replay.

Kernel patches address the issue by properly bounding rec->used in the affected code paths, as detailed in stable repository commits such as 0112e6279420d4005b3d57af36fb45c01b8d0116, 0ca0485e4b2e837ebb6cbd4f2451aba665a03e4b, 4b1613d7e2deda831a97e427d1ea586e50fe1be5, f79d0403ea20a81bc29105bba54fbcab54e8c403, and f90b8a1798b750755a9e9aee66678f0a1820bbaf. These fixes enhance robustness against corrupted filesystems, akin to prior mitigation in commit b2bc7c44ed17 for slab-out-of-bounds reads. Security practitioners should update to patched kernel versions supporting ntfs3.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: validate rec->used in journal-replay file record check check_file_record() validates rec->total against the record size but never validates rec->used. The do_action() journal-replay handlers read rec->used from disk and use it…

more

to compute memmove lengths: DeleteAttribute: memmove(attr, ..., used - asize - roff) CreateAttribute: memmove(..., attr, used - roff) change_attr_size: memmove(..., used - PtrOffset(rec, next)) When rec->used is smaller than the offset of a validated attribute, or larger than the record size, these subtractions can underflow allowing us to copy huge amounts of memory in to a 4kb buffer, generally considered a bad idea overall. This requires a corrupted filesystem, which isn't a threat model the kernel really needs to worry about, but checking for such an obvious out-of-bounds value is good to keep things robust, especially on journal replay Fix this up by bounding rec->used correctly. This is much like commit b2bc7c44ed17 ("fs/ntfs3: Fix slab-out-of-bounds read in DeleteIndexEntryRoot") which checked different values in this same switch statement.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Kernel buffer overflow in ntfs3 journal replay (via crafted FS mount) directly enables local arbitrary code execution and privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-71137Same product: Linux Linux Kernel
CVE-2026-31772Same product: Linux Linux Kernel
CVE-2026-23378Same product: Linux Linux Kernel
CVE-2026-31494Same product: Linux Linux Kernel
CVE-2025-21735Same product: Linux Linux Kernel
CVE-2025-21650Same product: Linux Linux Kernel
CVE-2024-52319Same product: Linux Linux Kernel
CVE-2024-58003Same product: Linux Linux Kernel
CVE-2026-23343Same product: Linux Linux Kernel
CVE-2026-23092Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
7.1 · 5.15 — 6.6.136 · 6.7 — 6.12.84 · 6.13 — 6.18.25

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of rec->used read from disk against record size and attribute offsets to prevent underflow in memmove lengths during NTFS journal replay.

prevent

Timely remediation via kernel patches that bound rec->used directly eliminates the buffer overflow vulnerability in ntfs3 journal-replay handlers.

prevent

Memory protection techniques such as guard pages and stack canaries provide defense-in-depth against excessive memory copies into 4KB buffers from invalid rec->used values.

References