{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-40706", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-22T15:35:30.245Z", "dateReserved": "2026-04-15T00:00:00.000Z", "datePublished": "2026-04-21T00:00:00.000Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "product": "NTFS-3G", "vendor": "Tuxera", "versions": [{"lessThan": "2026.2.25", "status": "affected", "version": "2022.10.3", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "In NTFS-3G 2022.10.3 before 2026.2.25, a heap buffer overflow exists in ntfs_build_permissions_posix() in acls.c that allows an attacker to corrupt heap memory in the SUID-root ntfs-3g binary by crafting a malicious NTFS image. The overflow is triggered on the READ path (stat, readdir, open) when processing a security descriptor with multiple ACCESS_DENIED ACEs containing WRITE_OWNER from distinct group SIDs."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-122", "description": "CWE-122 Heap-based Buffer Overflow", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-21T21:04:43.906Z"}, "references": [{"url": "https://github.com/tuxera/ntfs-3g/blob/d3ace19838ce37cfde55294e76841e6d2f393f9e/libntfs-3g/acls.c#L4011-L4027"}, {"url": "https://www.openwall.com/lists/oss-security/2026/04/21/4"}, {"url": "https://github.com/tuxera/ntfs-3g/security/advisories/GHSA-4cwv-5285-63v9"}, {"url": "https://github.com/tuxera/ntfs-3g/releases/tag/2026.2.25"}], "x_generator": {"engine": "enrichogram 0.0.1"}, "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:tuxera:ntfs-3g:*:*:*:*:*:*:*:*", "versionStartIncluding": "2022.10.3", "versionEndExcluding": "2026.2.25"}]}]}]}, "adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2026/04/msg00024.html"}, {"url": "http://www.openwall.com/lists/oss-security/2026/04/21/4"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-21T21:20:00.477Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T13:03:14.635555Z", "id": "CVE-2026-40706", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T15:35:30.245Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2026/04/msg00024.html"}, {"url": "http://www.openwall.com/lists/oss-security/2026/04/21/4"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-21T21:20:00.477Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40706", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-22T13:03:14.635555Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T13:03:47.207Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.4, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Tuxera", "product": "NTFS-3G", "versions": [{"status": "affected", "version": "2022.10.3", "lessThan": "2026.2.25", "versionType": "custom"}], "defaultStatus": "unknown"}], "references": [{"url": "https://github.com/tuxera/ntfs-3g/blob/d3ace19838ce37cfde55294e76841e6d2f393f9e/libntfs-3g/acls.c#L4011-L4027"}, {"url": "https://www.openwall.com/lists/oss-security/2026/04/21/4"}, {"url": "https://github.com/tuxera/ntfs-3g/security/advisories/GHSA-4cwv-5285-63v9"}, {"url": "https://github.com/tuxera/ntfs-3g/releases/tag/2026.2.25"}], "x_generator": {"engine": "enrichogram 0.0.1"}, "descriptions": [{"lang": "en", "value": "In NTFS-3G 2022.10.3 before 2026.2.25, a heap buffer overflow exists in ntfs_build_permissions_posix() in acls.c that allows an attacker to corrupt heap memory in the SUID-root ntfs-3g binary by crafting a malicious NTFS image. The overflow is triggered on the READ path (stat, readdir, open) when processing a security descriptor with multiple ACCESS_DENIED ACEs containing WRITE_OWNER from distinct group SIDs."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-122", "description": "CWE-122 Heap-based Buffer Overflow"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:tuxera:ntfs-3g:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "2026.2.25", "versionStartIncluding": "2022.10.3"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-21T21:04:43.906Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40706", "state": "PUBLISHED", "dateUpdated": "2026-04-22T15:35:30.245Z", "dateReserved": "2026-04-15T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-21T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In NTFS-3G 2022.10.3 before 2026.2.25, a heap buffer overflow exists in ntfs_build_permissions_posix() in acls.c that allows an attacker to corrupt heap memory in the SUID-root ntfs-3g binary by crafting a malicious NTFS image. The overflow is triggered on the READ path (stat, readdir, open) when processing a security descriptor with multiple ACCESS_DENIED ACEs containing WRITE_OWNER from distinct group SIDs."}], "id": "CVE-2026-40706", "lastModified": "2026-04-22T21:23:52.620", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 5.9, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-04-21T22:16:19.077", "references": [{"source": "cve@mitre.org", "url": "https://github.com/tuxera/ntfs-3g/blob/d3ace19838ce37cfde55294e76841e6d2f393f9e/libntfs-3g/acls.c#L4011-L4027"}, {"source": "cve@mitre.org", "url": "https://github.com/tuxera/ntfs-3g/releases/tag/2026.2.25"}, {"source": "cve@mitre.org", "url": "https://github.com/tuxera/ntfs-3g/security/advisories/GHSA-4cwv-5285-63v9"}, {"source": "cve@mitre.org", "url": "https://www.openwall.com/lists/oss-security/2026/04/21/4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/04/21/4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2026/04/msg00024.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-122"}], "source": "cve@mitre.org", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2022.10.3,2026.2.25)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "NTFS-3G", "source": "cna", "vendor": "Tuxera"}, "product": "ntfs-3g", "vendor": "tuxera"}], "analysis": {"en": {"generated_at": "2026-04-22T06:58:22.878984+00:00", "value": {"mitigation_remediation": ["Upgrade NTFS-3G to version 2026.2.25 or later which contains the fix for the heap overflow.", "If upgrading is not immediately possible, remove the SUID bit from the ntfs-3g binary or configure the system to run it as a non\u2011privileged user, thereby preventing privilege escalation via the overflow.", "Validate or quarantine NTFS images before mounting them with ntfs-3g; avoid mounting untrusted volumes or filesystems that may contain malicious security descriptors."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Tuxera NTFS-3G implementation, specifically any releases prior to 2026.2.25, including the 2022.10.3 version. The SUID-root binary is the entry point for exploitation.", "description_and_impact": "A heap buffer overflow occurs in the ntfs_build_permissions_posix() function in the acls.c source of NTFS-3G. When the SUID-root executable processes a NTFS image that contains a security descriptor with many ACCESS_DENIED ACEs including WRITE_OWNER from distinct group SIDs, the overflow corrupts heap memory. This flaw maps to CWE-122 and can allow an attacker to execute arbitrary code with root privileges, potentially compromising confidentiality, integrity, and availability of the host system.", "risk_and_exploitability": "The CVSS score of 8.4 indicates high severity. Although EPSS data is not available and the vulnerability is not listed in CISA KEV, the exploit is realistic because it is triggered by a crafted NTFS image that can be presented to the system through the SUID-root binary. The likely attack vector involves local or file\u2011system interaction; an attacker who can mount or request an NTFS volume built from a malicious image can trigger the overflow and gain root access."}}}}, "created": "2026-04-22T04:45:09.199943+00:00", "title": "NTFS-3G SUID-root Heap Buffer Overflow Enables Privilege Escalation", "updated": "2026-04-22T07:00:12.128611+00:00", "vendors": ["tuxera", "tuxera$PRODUCT$ntfs-3g"]}