Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <d258ceb7-f991-4e3c-9d99-ae99a165945a@tuxera.com>
Date: Tue, 21 Apr 2026 17:44:04 +0300
From: Rostislav <rostislav@...era.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2026-40706: ntfs-3g 2022.10.3: Heap buffer overflow

Hello oss-security,

A vulnerability in ntfs-3g (https://github.com/tuxera/ntfs-3g) has been 
reported to us by a third party.

Short description:
In NTFS-3G 2022.10.3, a heap buffer overflow exists in 
ntfs_build_permissions_posix() in acls.c that allows an attacker to 
corrupt heap memory in the SUID-root ntfs-3g binary by crafting a 
malicious NTFS image. The overflow is triggered on the READ path (stat, 
readdir, open) when processing a security descriptor with multiple 
ACCESS_DENIED ACEs containing WRITE_OWNER from distinct group SIDs.

CVSS 3.1: 7.8 (High) — AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:
CVE ID: CVE-2026-40706
Full advisory: 
https://github.com/tuxera/ntfs-3g/security/advisories/GHSA-4cwv-5285-63v9
Fixed version: https://github.com/tuxera/ntfs-3g/releases/tag/2026.2.25

Credits: reported by Andrea Bocchetti

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.