CVE-2026-53027

In the Linux kernel, the following vulnerability has been resolved:

fs/ntfs3: fix missing run load for vcn0 in attr data get block locked()

When a compressed or sparse attribute has its clusters frame-aligned, vcn is rounded down to the frame start using cmask, which can result in vcn != vcn0. In this case, vcn and vcn0 may reside in different attribute segments.

The code already handles the case where vcn is in a different segment by loading its runs before allocation. However, it fails to load runs for vcn0 when vcn0 resides in a different segment than vcn. This causes run lookup entry() to return SPARSE LCN for vcn0 since its segment was never loaded into the in-memory run list, triggering the WARN ON(1).

Fix this by adding a missing check for vcn0 after the existing vcn segment check. If vcn0 falls outside the current segment range [svcn, evcn1), find and load the attribute segment containing vcn0 before performing the run lookup.

The following scenario triggers the bug: attr data get block locked() vcn = vcn0 & cmask <- vcn != vcn0 after frame alignment load runs for vcn segment <- vcn0 segment not loaded! attr allocate clusters() <- allocation succeeds run lookup entry(vcn0) <- vcn0 not in run -> SPARSE LCN WARN ON(1) <- bug fires here!