Advisories » MGASA-2026-0118

Updated ntfs-3g packages fix security vulnerability

Publication date: 07 May 2026
Modification date: 07 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-40706

Description

In NTFS-3G 2022.10.3 before 2026.2.25, a heap buffer overflow exists in
ntfs_build_permissions_posix() in acls.c that allows an attacker to
corrupt heap memory in the SUID-root ntfs-3g binary by crafting a
malicious NTFS image. The overflow is triggered on the READ path (stat,
readdir, open) when processing a security descriptor with multiple
ACCESS_DENIED ACEs containing WRITE_OWNER from distinct group SIDs.
(CVE-2026-40706)
                

References

• https://bugs.mageia.org/show_bug.cgi?id=35412
• https://www.openwall.com/lists/oss-security/2026/04/21/4
• https://lists.debian.org/debian-security-announce/2026/msg00131.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40706

SRPMS

9/core

• ntfs-3g-2022.10.3-1.2.mga9