Cyber Resilience

CVE-2026-40706

High

Published: 21 April 2026

Published
21 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0016 6.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-40706 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-40706 is a heap buffer overflow vulnerability in the ntfs_build_permissions_posix() function within acls.c of NTFS-3G versions from 2022.10.3 before 2026.2.25. It affects the SUID-root ntfs-3g binary, which is used for mounting and accessing NTFS filesystems on Linux and other Unix-like systems. The flaw arises when processing NTFS security descriptors containing multiple ACCESS_DENIED access control entries (ACEs) with WRITE_OWNER permissions from distinct group security identifiers (SIDs), classified under CWE-122 with a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A local attacker can exploit this vulnerability by crafting a malicious NTFS image and triggering the overflow during read operations such as stat, readdir, or open on the affected filesystem. No privileges or user interaction are required, allowing unprivileged users to corrupt heap memory in the privileged SUID-root process. Successful exploitation could enable arbitrary code execution, data tampering, or denial of service with high confidentiality, integrity, and availability impacts.

Advisories and patches recommend updating to NTFS-3G version 2026.2.25, which addresses the issue as detailed in the project's GitHub release and security advisory GHSA-4cwv-5285-63v9. The vulnerability was publicly disclosed on oss-security mailing lists, with code analysis available in the ntfs-3g repository pinpointing lines 4011-4027 in acls.c.

EU & UK References

Vulnerability details

In NTFS-3G 2022.10.3 before 2026.2.25, a heap buffer overflow exists in ntfs_build_permissions_posix() in acls.c that allows an attacker to corrupt heap memory in the SUID-root ntfs-3g binary by crafting a malicious NTFS image. The overflow is triggered on the READ…

more

path (stat, readdir, open) when processing a security descriptor with multiple ACCESS_DENIED ACEs containing WRITE_OWNER from distinct group SIDs.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Heap buffer overflow in SUID-root ntfs-3g binary allows local unprivileged attacker to achieve arbitrary code execution as root via crafted malicious NTFS image during filesystem operations.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-40403Shared CWE-122
CVE-2025-21418Shared CWE-122
CVE-2026-35420Shared CWE-122
CVE-2026-7900Shared CWE-122
CVE-2026-40398Shared CWE-122
CVE-2025-54910Shared CWE-122
CVE-2025-32318Shared CWE-122
CVE-2026-21372Shared CWE-122
CVE-2026-32221Shared CWE-122
CVE-2026-9915Shared CWE-122

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 Flaw Remediation requires timely patching of vulnerabilities like the heap buffer overflow in ntfs-3g, directly eliminating the exploitable flaw in the SUID-root binary.

prevent

SI-16 Memory Protection implements safeguards such as ASLR, DEP, and heap isolation that directly mitigate heap buffer overflow exploits by preventing arbitrary code execution.

prevent

CM-7 Least Functionality prohibits or restricts unnecessary software like ntfs-3g, preventing unprivileged users from mounting malicious NTFS images that trigger the vulnerability.

References