{"id":"CVE-2026-40706","details":"In NTFS-3G 2022.10.3 before 2026.2.25, a heap buffer overflow exists in ntfs_build_permissions_posix() in acls.c that allows an attacker to corrupt heap memory in the SUID-root ntfs-3g binary by crafting a malicious NTFS image. The overflow is triggered on the READ path (stat, readdir, open) when processing a security descriptor with multiple ACCESS_DENIED ACEs containing WRITE_OWNER from distinct group SIDs.","aliases":["GHSA-4cwv-5285-63v9"],"modified":"2026-05-01T18:44:29.085839929Z","published":"2026-04-21T00:00:00Z","related":["SUSE-SU-2026:1571-1","openSUSE-SU-2026:10614-1","openSUSE-SU-2026:20651-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40706.json","cwe_ids":["CWE-122"],"cna_assigner":"mitre"},"references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2026/04/21/4"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40706.json"},{"type":"WEB","url":"https://github.com/tuxera/ntfs-3g/blob/d3ace19838ce37cfde55294e76841e6d2f393f9e/libntfs-3g/acls.c#L4011-L4027"},{"type":"WEB","url":"https://github.com/tuxera/ntfs-3g/releases/tag/2026.2.25"},{"type":"ADVISORY","url":"https://github.com/tuxera/ntfs-3g/security/advisories/GHSA-4cwv-5285-63v9"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2026/04/msg00024.html"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40706"},{"type":"WEB","url":"https://www.openwall.com/lists/oss-security/2026/04/21/4"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/tuxera/ntfs-3g","events":[{"introduced":"78414d93613532fd82f3a82aba5d4a1c32898781"},{"fixed":"d1cb9e825d059ef5db0ccd30d5bce202edbd69dc"}],"database_specific":{"extracted_events":[{"introduced":"2022.10.3"},{"fixed":"2026.2.25"}],"source":"AFFECTED_FIELD"}}],"versions":["2022.10.3"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-40706.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}