In the Linux kernel, the following vulnerability has been resolved:
fs/ntfs3: fix missing run load for vcn0 in attrdatagetblocklocked()
When a compressed or sparse attribute has its clusters frame-aligned, vcn is rounded down to the frame start using cmask, which can result in vcn != vcn0. In this case, vcn and vcn0 may reside in different attribute segments.
The code already handles the case where vcn is in a different segment by loading its runs before allocation. However, it fails to load runs for vcn0 when vcn0 resides in a different segment than vcn. This causes runlookupentry() to return SPARSELCN for vcn0 since its segment was never loaded into the in-memory run list, triggering the WARNON(1).
Fix this by adding a missing check for vcn0 after the existing vcn segment check. If vcn0 falls outside the current segment range [svcn, evcn1), find and load the attribute segment containing vcn0 before performing the run lookup.
The following scenario triggers the bug: attrdatagetblocklocked() vcn = vcn0 & cmask <- vcn != vcn0 after frame alignment load runs for vcn segment <- vcn0 segment not loaded! attrallocateclusters() <- allocation succeeds runlookupentry(vcn0) <- vcn0 not in run -> SPARSELCN WARNON(1) <- bug fires here!
{
"cna_assigner": "Linux",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53027.json"
}