CVE-2026-40706
Published: 21 April 2026
Summary
CVE-2026-40706 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability. Its CVSS base score is 8.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-16 (Memory Protection).
Deeper analysis
CVE-2026-40706 is a heap buffer overflow vulnerability in the ntfs_build_permissions_posix() function within acls.c of NTFS-3G versions from 2022.10.3 before 2026.2.25. It affects the SUID-root ntfs-3g binary, which is used for mounting and accessing NTFS filesystems on Linux and other Unix-like systems. The flaw arises when processing NTFS security descriptors containing multiple ACCESS_DENIED access control entries (ACEs) with WRITE_OWNER permissions from distinct group security identifiers (SIDs), classified under CWE-122 with a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A local attacker can exploit this vulnerability by crafting a malicious NTFS image and triggering the overflow during read operations such as stat, readdir, or open on the affected filesystem. No privileges or user interaction are required, allowing unprivileged users to corrupt heap memory in the privileged SUID-root process. Successful exploitation could enable arbitrary code execution, data tampering, or denial of service with high confidentiality, integrity, and availability impacts.
Advisories and patches recommend updating to NTFS-3G version 2026.2.25, which addresses the issue as detailed in the project's GitHub release and security advisory GHSA-4cwv-5285-63v9. The vulnerability was publicly disclosed on oss-security mailing lists, with code analysis available in the ntfs-3g repository pinpointing lines 4011-4027 in acls.c.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-24467
Vulnerability details
In NTFS-3G 2022.10.3 before 2026.2.25, a heap buffer overflow exists in ntfs_build_permissions_posix() in acls.c that allows an attacker to corrupt heap memory in the SUID-root ntfs-3g binary by crafting a malicious NTFS image. The overflow is triggered on the READ…
more
path (stat, readdir, open) when processing a security descriptor with multiple ACCESS_DENIED ACEs containing WRITE_OWNER from distinct group SIDs.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap buffer overflow in SUID-root ntfs-3g binary allows local unprivileged attacker to achieve arbitrary code execution as root via crafted malicious NTFS image during filesystem operations.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 Flaw Remediation requires timely patching of vulnerabilities like the heap buffer overflow in ntfs-3g, directly eliminating the exploitable flaw in the SUID-root binary.
SI-16 Memory Protection implements safeguards such as ASLR, DEP, and heap isolation that directly mitigate heap buffer overflow exploits by preventing arbitrary code execution.
CM-7 Least Functionality prohibits or restricts unnecessary software like ntfs-3g, preventing unprivileged users from mounting malicious NTFS images that trigger the vulnerability.