--- /dev/null
+From 5b08dccecf825cbf905f348bc6ccb497507e28e2 Mon Sep 17 00:00:00 2001
+From: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Date: Wed, 10 Jun 2026 12:31:01 +0200
+Subject: ntfs3: reject direct userspace writes to reserved $LX* xattrs
+
+From: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+
+commit 5b08dccecf825cbf905f348bc6ccb497507e28e2 upstream.
+
+NTFS3 uses $LXUID, $LXGID, $LXMOD and $LXDEV as internal WSL
+permission metadata and reloads them into i_uid, i_gid and i_mode
+from ntfs_get_wsl_perm().
+
+Because the empty-prefix xattr handler also lets file owners call
+setxattr() on these names directly, an unprivileged writer on a
+writable ntfs3 mount can plant root ownership and S_ISUID on their own
+file and gain euid 0 after inode reload.
+
+Reject direct userspace writes to the reserved $LX* names. Internal
+ntfs3 metadata updates are unchanged because ntfs_save_wsl_perm()
+writes them via ntfs_set_ea() directly.
+
+Signed-off-by: Zhen Yan <sdjasjbuaa@gmail.com>
+[almaz.alexandrovich@paragon-software.com: added an additional check for non privileged users]
+Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ntfs3/xattr.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/fs/ntfs3/xattr.c
++++ b/fs/ntfs3/xattr.c
+@@ -845,6 +845,12 @@ out:
+ return err;
+ }
+
++static bool ntfs_is_reserved_lxattr(const char *name)
++{
++ return !strcmp(name, "$LXUID") || !strcmp(name, "$LXGID") ||
++ !strcmp(name, "$LXMOD") || !strcmp(name, "$LXDEV");
++}
++
+ /*
+ * ntfs_setxattr - inode_operations::setxattr
+ */
+@@ -949,6 +955,12 @@ set_new_fa:
+ goto out;
+ }
+
++ /* Do not allow non privileged users to change $LXUID/$LXGID... */
++ if (ntfs_is_reserved_lxattr(name) && !capable(CAP_SYS_ADMIN)) {
++ err = -EPERM;
++ goto out;
++ }
++
+ /* Deal with NTFS extended attribute. */
+ err = ntfs_set_ea(inode, name, strlen(name), value, size, flags, 0,
+ NULL);