Severity by source
Local vector because a crafted image must be physically or logically present; PR:N since unprivileged users trigger ntfs-3g mounts; S:C due to SUID-root escalation potential.
Lifecycle Timeline
1DescriptionCVE.org
In NTFS-3G through 2026.2.25, a heap buffer overflow exists in ntfs_ib_copy_tail(), in libntfs-3g/index.c, that allows an attacker to corrupt heap memory in the SUID-root ntfs-3g binary by crafting a malicious NTFS image. The overflow is triggered by extending a directory, e.g., by creating a file.
AnalysisAI
Heap buffer overflow in NTFS-3G through 2026.2.25 allows a local attacker to corrupt heap memory in the SUID-root ntfs-3g binary by supplying a crafted NTFS image, with exploitation triggered when a directory is extended (e.g., a file is created) on the mounted filesystem. Because ntfs-3g carries the SUID-root bit to operate FUSE-based NTFS mounts, successful heap corruption in this context carries privilege escalation potential to root. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that a crafted NTFS image be mounted using the SUID-root ntfs-3g binary - either via manual mount, automount of removable media (e.g., USB insertion with udisks2/udev automount active), or any other mechanism that causes ntfs-3g to process the image. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS vector is provided in the available data, so all metric assessments below are independently derived. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with physical access crafts a malicious NTFS filesystem image on a USB drive containing directory index metadata designed to trigger the out-of-bounds write in ntfs_ib_copy_tail(). When the target inserts the drive on a Linux desktop with automounting enabled, ntfs-3g mounts it as a SUID-root FUSE process; the attacker (or the automount system) then triggers file creation in the crafted directory, causing heap corruption within the root-privileged ntfs-3g process and enabling potential local privilege escalation to root. … |
| Remediation | Apply the vendor-released patch by updating ntfs-3g via the system package manager. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today