CVE-2025-71265 Affecting perf-debuginfo package, versions <1:6.1.166-197.305.amzn2023
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-AMZN2023-PERFDEBUGINFO-15980915
- published11 Apr 2026
- disclosed18 Mar 2026
Introduced: 18 Mar 2026
CVE-2025-71265 (opens in a new tab)How to fix?
Upgrade Amazon-Linux:2023 perf-debuginfo to version 1:6.1.166-197.305.amzn2023 or higher.
This issue was patched in ALAS2023-2026-1544.
NVD Description
Note: Versions mentioned in the description apply only to the upstream perf-debuginfo package and not the perf-debuginfo package as distributed by Amazon-Linux.
See How to fix? for Amazon-Linux:2023 relevant fixed versions and status.
In the Linux kernel, the following vulnerability has been resolved:
fs: ntfs3: fix infinite loop in attr_load_runs_range on inconsistent metadata
We found an infinite loop bug in the ntfs3 file system that can lead to a Denial-of-Service (DoS) condition.
A malformed NTFS image can cause an infinite loop when an attribute header indicates an empty run list, while directory entries reference it as containing actual data. In NTFS, setting evcn=-1 with svcn=0 is a valid way to represent an empty run list, and run_unpack() correctly handles this by checking if evcn + 1 equals svcn and returning early without parsing any run data. However, this creates a problem when there is metadata inconsistency, where the attribute header claims to be empty (evcn=-1) but the caller expects to read actual data. When run_unpack() immediately returns success upon seeing this condition, it leaves the runs_tree uninitialized with run->runs as a NULL. The calling function attr_load_runs_range() assumes that a successful return means that the runs were loaded and sets clen to 0, expecting the next run_lookup_entry() call to succeed. Because runs_tree remains uninitialized, run_lookup_entry() continues to fail, and the loop increments vcn by zero (vcn += 0), leading to an infinite loop.
This patch adds a retry counter to detect when run_lookup_entry() fails consecutively after attr_load_runs_vcn(). If the run is still not found on the second attempt, it indicates corrupted metadata and returns -EINVAL, preventing the Denial-of-Service (DoS) vulnerability.
References
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-71265
- https://git.kernel.org/stable/c/3c3a6e951b9b53dab2ac460a655313cf04c4a10a
- https://git.kernel.org/stable/c/4b90f16e4bb5607fb35e7802eb67874038da4640
- https://git.kernel.org/stable/c/6f07a590616ff5f57f7c041d98e463fad9e9f763
- https://git.kernel.org/stable/c/78b61f7eac37a63284774b147f38dd0be6cad43c
- https://git.kernel.org/stable/c/a89bc96d5abd8a4a8d5d911884ea347efcdf460b
- https://git.kernel.org/stable/c/af839013c70a24779f9d1afb1575952009312d38
- https://git.kernel.org/stable/c/c0b43c45d45f59e7faad48675a50231a210c379b