CVE-2025-68728 | ntfs3: fix uninit memory after failed mi_read in mi_format_new

In the Linux kernel, the following vulnerability has been resolved: ntfs3: fix uninit memory after failed mi_read in mi_format_new Fix a KMSAN un-init bug found by syzkaller. ntfs_get_bh() expects a buffer from sb_getblk(), that buffer may not be uptodate. We do not bring the buffer uptodate before setting it as uptodate. If the buffer were to not be uptodate, it could mean adding a buffer with un-init data to the mi record. Attempting to load that record will trigger KMSAN. Avoid this by setting the buffer as uptodate, if it’s not already, by overwriting it.

Published: 2025-12-24 Last update: 2026-04-15 Assigner: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

NVD Status：Deferred，CVE State: published

View at NVD, CVE.org, EUVD

Conclusion & alert: CVE-2025-68728 is rated Low Risk (20.7/100): low exploitation likelihood (EPSS 0.07%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2025-68728

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-03	0.05%	0.07%	+0.02%
2	2026-05-23	0.06%	0.05%	-0.01%
3	2026-02-10	—	0.06%	—

Full EPSS history (4 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2025-68728

CVSS metrics for this CVE.

No CVSS data in dataset for this CVE.

Weakness enumeration for CVE-2025-68728

OS Trackers for CVE-2025-68728

vendor	priority	summary	link
`debian`	unimportant	CVE-2025-68728 unimportant priority: Debian including 2 source packages (linux, linux-6.1), 6 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 6.	https://security-tracker.debian.org/tracker/CVE-2025-68728
`redhat`	—	—	https://access.redhat.com/security/cve/CVE-2025-68728
`suse`	medium	CVE-2025-68728 severity moderate: SUSE including 308 source package names (2.1.3-6.115:kernel-default-base-6.4.0-39.1.21.16, 2.1.3-7.146:kernel-rt-6.4.0-40.1, …), 544 product×package rows across 79 product lines (Container suse/sl-micro/6.0/base-os-container, Container suse/sl-micro/6.0/kvm-os-container, … (79 product lines)): Known Affected 231, Known Not Affected 195, Fixed 118.	https://www.suse.com/security/cve/CVE-2025-68728/
`ubuntu`	medium	CVE-2025-68728 medium priority: Ubuntu including 157 source packages (linux, linux-allwinner-5.19, …), 1405 status rows across 9 suites (bionic, focal, jammy, noble, plucky, questing, trusty, upstream, xenial): DNE 1010, ignored 179, released 147, not-affected 46, pending 14, needed 9.	https://ubuntu.com/security/CVE-2025-68728

Affected software / configurations for CVE-2025-68728

Vendor	Product	Version	Raw CPE
No affected products in dataset.

References for CVE-2025-68728

URL	Tags
https://git.kernel.org/stable/c/46f2a881e5a7311d41551edb3915e4d4e8802341
https://git.kernel.org/stable/c/73e6b9dacf72a1e7a4265eacca46f8f33e0997d6
https://git.kernel.org/stable/c/7ce8f2028dfccb2161b905cf8ab85cdd9e93909c
https://git.kernel.org/stable/c/81ffe9a265df3e41534726b852ab08792e3d374d
https://git.kernel.org/stable/c/8bf729b96303bb862d7c6dc05edcf51274ae04cf
https://git.kernel.org/stable/c/afb144bc8e920db43a23e996eb0a6f9bdea84341
https://git.kernel.org/stable/c/c70b3abfd530c7f574bc25a5f84707e6fdf0def8

cvelogic Threat Intelligence