NTFS-3G Heap Buffer Overflow Vulnerability in Permission Handling

A heap buffer overflow vulnerability has been identified in NTFS-3G version 2022.10.3 prior to 2026.2.25. The issue arises in the function ntfs_build_permissions_posix() within acls.c. This vulnerability allows an attacker to corrupt heap memory in the SUID-root NTFS-3G binary by crafting a malicious NTFS image. The overflow occurs on the READ path (stat, readdir, open) when the software processes a security descriptor containing multiple ACCESS_DENIED ACEs with WRITE_OWNER, sourced from different group SIDs.

Impact

Exploitation of this vulnerability leads to a heap-based buffer overflow, allowing for the corruption of adjacent memory and manipulation of heap metadata. This type of vulnerability can often be exploited to execute arbitrary code or cause a crash by disrupting normal memory management.

Reproduction

The vulnerability can be reproduced by enabling POSIX ACLs in NTFS-3G and then mounting an NTFS volume that contains a crafted security descriptor. This descriptor should include multiple ACCESS_DENIED ACEs with WRITE_OWNER rights, originating from distinct group SIDs. Once the volume is mounted, the buffer overflow is triggered during standard file operations such as reading directory contents or accessing files, which activates the vulnerable permission handling code.

Remediation

Users can upgrade to NTFS-3G version 2026.2.25, which addresses the heap buffer overflow vulnerability. For those using Debian 11 bullseye, the updated package version is 1:2017.3.23AR.3-4+deb11u5. Alternatively, NTFS-3G can be rebuilt without POSIX ACL support and reinstalled.