CVE-2026-40706 PUBLISHED

Assigner: mitre
Reserved: 15.04.2026 Published: 21.04.2026 Updated: 21.04.2026

In NTFS-3G 2022.10.3 before 2026.2.25, a heap buffer overflow exists in ntfs_build_permissions_posix() in acls.c that allows an attacker to corrupt heap memory in the SUID-root ntfs-3g binary by crafting a malicious NTFS image. The overflow is triggered on the READ path (stat, readdir, open) when processing a security descriptor with multiple ACCESS_DENIED ACEs containing WRITE_OWNER from distinct group SIDs.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 8.4

Attack Vector	Local	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Tuxera
Product	NTFS-3G
Versions	Default: unknown affected from 2022.10.3 to 2026.2.25 (excl.)

References

https://github.com/tuxera/ntfs-3g/blob/d3ace19838ce37cfde55294e76841e6d2f393f9e/libntfs-3g/acls.c#L4011-L4027
https://www.openwall.com/lists/oss-security/2026/04/21/4
https://github.com/tuxera/ntfs-3g/security/advisories/GHSA-4cwv-5285-63v9
https://github.com/tuxera/ntfs-3g/releases/tag/2026.2.25

Problem Types

CWE-122 Heap-based Buffer Overflow CWE