The Linux kernel NTFS3 driver had a vulnerability where new folios allocated were not fully initialized before use. KMSAN detected uninitialized values in the function longest_match_std(), called from ntfs_compress_write(). This occurred because new folios were not marked uptodate and the function ni_read_frame() was skipped under the assumption that the frame would be completely overwritten. As a result, some reserved folios could remain partially uninitialized, causing use of uninitialized memory. This vulnerability is tracked as CVE-2025-71311 and is categorized under CWE-908 (Use of Uninitialized Variable).

The vulnerability does not affect confidentiality or integrity but impacts availability, as indicated by the CVSS vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). The use of uninitialized memory could lead to system instability or crashes when the NTFS3 driver processes compressed writes. There are no known exploits in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The description states the issue has been resolved, implying a fix exists in updated Linux kernel versions. Users should update to the latest kernel releases that include this fix once available.