Skip to main content

NTFS-3G CVE-2026-46569

MEDIUM
2026-07-15 vendor:ubuntu
Share

Severity by source

vuln.today AI
8.6 HIGH

Local vector because a crafted image must be physically or logically present; PR:N since unprivileged users trigger ntfs-3g mounts; S:C due to SUID-root escalation potential.

3.1 AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Lifecycle Timeline

1
Analysis Generated
Jul 16, 2026 - 16:34 vuln.today

DescriptionCVE.org

In NTFS-3G through 2026.2.25, a heap buffer overflow exists in ntfs_ib_copy_tail(), in libntfs-3g/index.c, that allows an attacker to corrupt heap memory in the SUID-root ntfs-3g binary by crafting a malicious NTFS image. The overflow is triggered by extending a directory, e.g., by creating a file.

AnalysisAI

Heap buffer overflow in NTFS-3G through 2026.2.25 allows a local attacker to corrupt heap memory in the SUID-root ntfs-3g binary by supplying a crafted NTFS image, with exploitation triggered when a directory is extended (e.g., a file is created) on the mounted filesystem. Because ntfs-3g carries the SUID-root bit to operate FUSE-based NTFS mounts, successful heap corruption in this context carries privilege escalation potential to root. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious NTFS image with adversarial directory index metadata
Delivery
Deliver image to target via USB or local file
Exploit
Trigger ntfs-3g SUID-root mount of image
Execution
Create file in crafted directory to invoke ntfs_ib_copy_tail()
Persist
Trigger heap buffer overflow in root-privileged process
Impact
Leverage heap corruption for local privilege escalation to root

Vulnerability AssessmentAI

Exploitation Exploitation requires that a crafted NTFS image be mounted using the SUID-root ntfs-3g binary - either via manual mount, automount of removable media (e.g., USB insertion with udisks2/udev automount active), or any other mechanism that causes ntfs-3g to process the image. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS vector is provided in the available data, so all metric assessments below are independently derived. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with physical access crafts a malicious NTFS filesystem image on a USB drive containing directory index metadata designed to trigger the out-of-bounds write in ntfs_ib_copy_tail(). When the target inserts the drive on a Linux desktop with automounting enabled, ntfs-3g mounts it as a SUID-root FUSE process; the attacker (or the automount system) then triggers file creation in the crafted directory, causing heap corruption within the root-privileged ntfs-3g process and enabling potential local privilege escalation to root. …
Remediation Apply the vendor-released patch by updating ntfs-3g via the system package manager. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-46569 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy