Description
In NTFS-3G 2022.10.3 before 2026.2.25, a heap buffer overflow exists in ntfs_build_permissions_posix() in acls.c that allows an attacker to corrupt heap memory in the SUID-root ntfs-3g binary by crafting a malicious NTFS image. The overflow is triggered on the READ path (stat, readdir, open) when processing a security descriptor with multiple ACCESS_DENIED ACEs containing WRITE_OWNER from distinct group SIDs.
Published: 2026-04-21
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

A heap buffer overflow occurs in the ntfs_build_permissions_posix() function in the acls.c source of NTFS-3G. When the SUID-root executable processes a NTFS image that contains a security descriptor with many ACCESS_DENIED ACEs including WRITE_OWNER from distinct group SIDs, the overflow corrupts heap memory. This flaw maps to CWE-122 and can allow an attacker to execute arbitrary code with root privileges, potentially compromising confidentiality, integrity, and availability of the host system.

Affected Systems

The vulnerability affects the Tuxera NTFS-3G implementation, specifically any releases prior to 2026.2.25, including the 2022.10.3 version. The SUID-root binary is the entry point for exploitation.

Risk and Exploitability

The CVSS score of 8.4 indicates high severity. Although EPSS data is not available and the vulnerability is not listed in CISA KEV, the exploit is realistic because it is triggered by a crafted NTFS image that can be presented to the system through the SUID-root binary. The likely attack vector involves local or file‑system interaction; an attacker who can mount or request an NTFS volume built from a malicious image can trigger the overflow and gain root access.

Generated by OpenCVE AI on April 22, 2026 at 06:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NTFS-3G to version 2026.2.25 or later which contains the fix for the heap overflow.
  • If upgrading is not immediately possible, remove the SUID bit from the ntfs-3g binary or configure the system to run it as a non‑privileged user, thereby preventing privilege escalation via the overflow.
  • Validate or quarantine NTFS images before mounting them with ntfs-3g; avoid mounting untrusted volumes or filesystems that may contain malicious security descriptors.

Generated by OpenCVE AI on April 22, 2026 at 06:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4544-1 ntfs-3g security update
Debian DSA Debian DSA DSA-6221-1 ntfs-3g security update
History

Wed, 22 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 07:15:00 +0000

Type Values Removed Values Added
Title NTFS-3G SUID-root Heap Buffer Overflow Enables Privilege Escalation

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description In NTFS-3G 2022.10.3 before 2026.2.25, a heap buffer overflow exists in ntfs_build_permissions_posix() in acls.c that allows an attacker to corrupt heap memory in the SUID-root ntfs-3g binary by crafting a malicious NTFS image. The overflow is triggered on the READ path (stat, readdir, open) when processing a security descriptor with multiple ACCESS_DENIED ACEs containing WRITE_OWNER from distinct group SIDs.
First Time appeared Tuxera
Tuxera ntfs-3g
Weaknesses CWE-122
CPEs cpe:2.3:a:tuxera:ntfs-3g:*:*:*:*:*:*:*:*
Vendors & Products Tuxera
Tuxera ntfs-3g
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Tuxera Ntfs-3g
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-22T15:35:30.245Z

Reserved: 2026-04-15T00:00:00.000Z

Link: CVE-2026-40706

cve-icon Vulnrichment

Updated: 2026-04-21T21:20:00.477Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-21T22:16:19.077

Modified: 2026-04-22T21:23:52.620

Link: CVE-2026-40706

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T07:00:12Z

Weaknesses