{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2021-39259", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2025-12-02T21:17:20.668Z", "dateReserved": "2021-08-17T00:00:00.000Z", "datePublished": "2021-09-07T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-01-11T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "A crafted NTFS image can trigger an out-of-bounds access, caused by an unsanitized attribute length in ntfs_inode_lookup_by_name, in NTFS-3G < 2021.8.22."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/tuxera/ntfs-3g/releases"}, {"url": "https://github.com/tuxera/ntfs-3g/security/advisories/GHSA-q759-8j5v-q5jp"}, {"name": "DSA-4971", "tags": ["vendor-advisory"], "url": "https://www.debian.org/security/2021/dsa-4971"}, {"name": "[debian-lts-announce] 20211116 [SECURITY] [DLA 2819-1] ntfs-3g security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2021/11/msg00013.html"}, {"name": "GLSA-202301-01", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202301-01"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T02:06:40.971Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/tuxera/ntfs-3g/releases", "tags": ["x_transferred"]}, {"url": "https://github.com/tuxera/ntfs-3g/security/advisories/GHSA-q759-8j5v-q5jp", "tags": ["x_transferred"]}, {"name": "DSA-4971", "tags": ["vendor-advisory", "x_transferred"], "url": "https://www.debian.org/security/2021/dsa-4971"}, {"name": "[debian-lts-announce] 20211116 [SECURITY] [DLA 2819-1] ntfs-3g security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2021/11/msg00013.html"}, {"name": "GLSA-202301-01", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202301-01"}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-20", "lang": "en", "description": "CWE-20 Improper Input Validation"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-12-02T21:17:12.408661Z", "id": "CVE-2021-39259", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-02T21:17:20.668Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/tuxera/ntfs-3g/releases", "tags": ["x_transferred"]}, {"url": "https://github.com/tuxera/ntfs-3g/security/advisories/GHSA-q759-8j5v-q5jp", "tags": ["x_transferred"]}, {"url": "https://www.debian.org/security/2021/dsa-4971", "name": "DSA-4971", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2021/11/msg00013.html", "name": "[debian-lts-announce] 20211116 [SECURITY] [DLA 2819-1] ntfs-3g security update", "tags": ["mailing-list", "x_transferred"]}, {"url": "https://security.gentoo.org/glsa/202301-01", "name": "GLSA-202301-01", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T02:06:40.971Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2021-39259", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-12-02T21:17:12.408661Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-02T21:17:03.028Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/tuxera/ntfs-3g/releases"}, {"url": "https://github.com/tuxera/ntfs-3g/security/advisories/GHSA-q759-8j5v-q5jp"}, {"url": "https://www.debian.org/security/2021/dsa-4971", "name": "DSA-4971", "tags": ["vendor-advisory"]}, {"url": "https://lists.debian.org/debian-lts-announce/2021/11/msg00013.html", "name": "[debian-lts-announce] 20211116 [SECURITY] [DLA 2819-1] ntfs-3g security update", "tags": ["mailing-list"]}, {"url": "https://security.gentoo.org/glsa/202301-01", "name": "GLSA-202301-01", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "A crafted NTFS image can trigger an out-of-bounds access, caused by an unsanitized attribute length in ntfs_inode_lookup_by_name, in NTFS-3G < 2021.8.22."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-01-11T00:00:00.000Z"}}}, "cveMetadata": {"cveId": "CVE-2021-39259", "state": "PUBLISHED", "dateUpdated": "2025-12-02T21:17:20.668Z", "dateReserved": "2021-08-17T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2021-09-07T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tuxera:ntfs-3g:*:*:*:*:*:*:*:*", "matchCriteriaId": "CBE087A1-98D1-4F40-9CC9-D90116B23E0C", "versionEndExcluding": "2021.8.22", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A crafted NTFS image can trigger an out-of-bounds access, caused by an unsanitized attribute length in ntfs_inode_lookup_by_name, in NTFS-3G < 2021.8.22."}, {"lang": "es", "value": "Una imagen NTFS dise\u00f1ada puede desencadenar un acceso fuera de l\u00edmites, causado por una longitud de atributo no saneada en la funci\u00f3n ntfs_inode_lookup_by_name, en NTFS-3G versiones anteriores a 2021.8.22"}], "id": "CVE-2021-39259", "lastModified": "2025-12-02T22:16:06.743", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 6.9, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2021-09-07T15:15:08.217", "references": [{"source": "cve@mitre.org", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/tuxera/ntfs-3g/releases"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/tuxera/ntfs-3g/security/advisories/GHSA-q759-8j5v-q5jp"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/11/msg00013.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202301-01"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2021/dsa-4971"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/tuxera/ntfs-3g/releases"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/tuxera/ntfs-3g/security/advisories/GHSA-q759-8j5v-q5jp"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/11/msg00013.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202301-01"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2021/dsa-4971"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2021:3704", "cpe": "cpe:/a:redhat:advanced_virtualization:8.2::el8", "package": "virt:8.2-8020120210917153657.863bb0db", "product_name": "Advanced Virtualization for RHEL 8.2.1", "release_date": "2021-09-30T00:00:00Z"}, {"advisory": "RHSA-2021:3704", "cpe": "cpe:/a:redhat:advanced_virtualization:8.2::el8", "package": "virt-devel:8.2-8020120210917153657.863bb0db", "product_name": "Advanced Virtualization for RHEL 8.2.1", "release_date": "2021-09-30T00:00:00Z"}, {"advisory": "RHSA-2021:3703", "cpe": "cpe:/a:redhat:advanced_virtualization:8.4::el8", "package": "virt:av-8040020210922084349.522a0ee4", "product_name": "Advanced Virtualization for RHEL 8.4.0.Z", "release_date": "2021-09-30T00:00:00Z"}, {"advisory": "RHSA-2021:3703", "cpe": "cpe:/a:redhat:advanced_virtualization:8.4::el8", "package": "virt-devel:av-8040020210922084349.522a0ee4", "product_name": "Advanced Virtualization for RHEL 8.4.0.Z", "release_date": "2021-09-30T00:00:00Z"}, {"advisory": "RHSA-2022:1759", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "virt-devel:rhel-8060020220408104655.d63f516d", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2022-05-10T00:00:00Z"}, {"advisory": "RHSA-2022:1759", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "virt:rhel-8060020220408104655.d63f516d", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2022-05-10T00:00:00Z"}], "bugzilla": {"description": "ntfs-3g: Out-of-bounds access in ntfs_inode_lookup_by_name() caused by an unsanitized attribute length", "id": "2001659", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2001659"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-119", "details": ["A crafted NTFS image can trigger an out-of-bounds access, caused by an unsanitized attribute length in ntfs_inode_lookup_by_name, in NTFS-3G < 2021.8.22.", "The ntfs3g package is susceptible to a heap overflow on crafted input. When processing an NTFS image, proper bounds checking was not enforced leading to this software flaw. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability."], "name": "CVE-2021-39259", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "libguestfs-winsupport", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:advanced_virtualization:8::el8", "fix_state": "Affected", "package_name": "virt:8.2/libguestfs-winsupport", "product_name": "Red Hat Enterprise Linux 8 Advanced Virtualization"}, {"cpe": "cpe:/a:redhat:advanced_virtualization:8::el8", "fix_state": "Affected", "package_name": "virt:av/libguestfs-winsupport", "product_name": "Red Hat Enterprise Linux 8 Advanced Virtualization"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "libguestfs-winsupport", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2021-08-30T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-39259\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-39259\nhttps://github.com/tuxera/ntfs-3g/security/advisories/GHSA-q759-8j5v-q5jp"], "threat_severity": "Moderate"}

{}