MGASA-2026-0118

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2026-0118.html

Import Source

https://advisories.mageia.org/MGASA-2026-0118.json

JSON Data

https://api.osv.dev/v1/vulns/MGASA-2026-0118

Upstream

CVE-2026-40706

Published

2026-05-07T05:06:13Z

Modified

2026-05-07T05:15:30.123205Z

Summary

Updated ntfs-3g packages fix security vulnerability

Details

In NTFS-3G 2022.10.3 before 2026.2.25, a heap buffer overflow exists in ntfsbuildpermissionsposix() in acls.c that allows an attacker to corrupt heap memory in the SUID-root ntfs-3g binary by crafting a malicious NTFS image. The overflow is triggered on the READ path (stat, readdir, open) when processing a security descriptor with multiple ACCESSDENIED ACEs containing WRITE_OWNER from distinct group SIDs. (CVE-2026-40706)

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:9 / ntfs-3g

Package

Name: ntfs-3g
Purl: pkg:rpm/mageia/ntfs-3g?arch=source&distro=mageia-9

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2022.10.3-1.2.mga9

Ecosystem specific

{
    "section": "core"
}

Database specific

source

"https://advisories.mageia.org/MGASA-2026-0118.json"