{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/ntfs-3g/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.4,"id":"CVE-2026-40706"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["ntfs-3g","heap-overflow","privilege-escalation","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-40706 describes a heap buffer overflow vulnerability affecting NTFS-3G, specifically versions 2022.10.3 and earlier, before the patch in version 2026.2.25. The vulnerability lies within the \u003ccode\u003entfs_build_permissions_posix()\u003c/code\u003e function in \u003ccode\u003eacls.c\u003c/code\u003e. An attacker can exploit this flaw by creating a malicious NTFS image. When the affected software attempts to read this specially crafted image, a heap buffer overflow occurs. This is triggered when the software processes a security descriptor containing multiple ACCESS_DENIED Access Control Entries (ACEs), each including WRITE_OWNER permissions, and originating from distinct group Security Identifiers (SIDs). Successful exploitation allows an attacker to corrupt heap memory within the SUID-root ntfs-3g binary, potentially leading to privilege escalation or arbitrary code execution.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious NTFS image containing a specially designed security descriptor.\u003c/li\u003e\n\u003cli\u003eThe security descriptor includes multiple ACCESS_DENIED ACEs.\u003c/li\u003e\n\u003cli\u003eEach ACE within the descriptor contains WRITE_OWNER permissions.\u003c/li\u003e\n\u003cli\u003eThe ACEs originate from distinct group SIDs, triggering the overflow condition.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers the malicious NTFS image to a system running a vulnerable version of NTFS-3G. This may occur through physical media or network shares.\u003c/li\u003e\n\u003cli\u003eThe victim system attempts to read the malicious NTFS image using a vulnerable NTFS-3G version, such as during a \u003ccode\u003estat\u003c/code\u003e, \u003ccode\u003ereaddir\u003c/code\u003e, or \u003ccode\u003eopen\u003c/code\u003e operation.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003entfs_build_permissions_posix()\u003c/code\u003e function is called to process the security descriptor.\u003c/li\u003e\n\u003cli\u003eThe heap buffer overflow occurs during the processing of the malicious ACEs, corrupting heap memory. This can lead to denial of service or potentially arbitrary code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40706 allows for heap memory corruption in the ntfs-3g binary, which runs with elevated privileges due to its SUID-root configuration. The observed consequence is memory corruption. Depending on the extent of the corruption, this could lead to denial-of-service or arbitrary code execution. Given the wide usage of NTFS-3G for mounting NTFS volumes on Linux and other systems, a successful exploit could affect a large number of systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade NTFS-3G to version 2026.2.25 or later to patch CVE-2026-40706 (reference: \u003ca href=\"https://github.com/tuxera/ntfs-3g/releases/tag/2026.2.25\"\u003ehttps://github.com/tuxera/ntfs-3g/releases/tag/2026.2.25\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eMonitor systems for unexpected crashes or errors related to ntfs-3g operations, which may indicate exploitation attempts. Deploy the Sigma rules below to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eConsider implementing stricter access controls and validation measures on NTFS images to prevent the use of malicious images (mitigation based on the vulnerability description).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T12:00:00Z","date_published":"2026-04-22T12:00:00Z","id":"/briefs/2026-04-ntfs3g-heap-overflow/","summary":"A heap buffer overflow vulnerability exists in NTFS-3G versions 2022.10.3 before 2026.2.25 that allows for heap memory corruption by processing a crafted NTFS image with multiple ACCESS_DENIED ACEs containing WRITE_OWNER from distinct group SIDs.","title":"NTFS-3G Heap Buffer Overflow Vulnerability (CVE-2026-40706)","url":"https://feed.craftedsignal.io/briefs/2026-04-ntfs3g-heap-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed — Ntfs-3g","version":"https://jsonfeed.org/version/1.1"}