CVE-2026-40706

Publication date 21 April 2026

Last updated 23 April 2026

Ubuntu priority

Description

In NTFS-3G 2022.10.3, a heap buffer overflow exists in ntfs_build_permissions_posix() in acls.c that allows an attacker to corrupt heap memory in the SUID-root ntfs-3g binary by crafting a malicious NTFS image. The overflow is triggered on the READ path (stat, readdir, open) when processing a security descriptor with multiple ACCESS_DENIED ACEs containing WRITE_OWNER from distinct group SIDs.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
ntfs-3g	25.10 questing	Fixed 1:2022.10.3-5ubuntu0.25.10.1
	24.04 LTS noble	Fixed 1:2022.10.3-1.2ubuntu3.1
	22.04 LTS jammy	Fixed 1:2021.8.22-3ubuntu1.3
	20.04 LTS focal	Needs evaluation
	18.04 LTS bionic	Needs evaluation
	16.04 LTS xenial	Needs evaluation
	14.04 LTS trusty	Needs evaluation

How can I get the fixes?
What do statuses mean?

References

MITRE
NVD
Launchpad
Debian

Other references

https://www.cve.org/CVERecord?id=CVE-2026-40706
https://github.com/tuxera/ntfs-3g/security/advisories/GHSA-4cwv-5285-63v9

CVE-2026-40706

Description

Status

References

Other references

Access our resources on patching vulnerabilities