CVE-2025-37806

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to the fixed version

Description A NULL pointer dereference issue has been identified in the Linux kernel, specifically in the fs/ntfs3 module. This issue occurs when a user executes an ioctl command to clear the compression flag of a file while a write operation is in progress, causing the program to enter the wrong process and call the wrong operation, resulting in a NULL pointer dereference. The estimated number of potentially affected devices is not provided. There is no information about real-world incidents where this issue was exploited.

Recommendations To resolve this issue, use the inode lock to synchronize ioctl and write operations, avoiding the NULL pointer dereference. As a temporary workaround, consider disabling the generic file write iter function until a patch is available. Restrict access to the ntfs file write iter function to minimize the risk of exploitation. Avoid using the ioctl$FS IOC SETFLAGS command in the affected API endpoint until the issue is resolved.