NTFS driver for Linux: NTFS-3G closes privilege escalation vulnerability
After about four years, a new NTFS-3G version has been released. It closes a privilege escalation vulnerability and fixes bugs.
(Image: heise medien)
For Linux and other Unix-like operating systems, there are several driver options for accessing the Windows NTFS file system. One of them is the open-source NTFS-3G from Tuxera, which is based on FUSE (Filesystem in Userspace). After almost four years, the developers have released an update that also closes a highly risky security vulnerability.
According to Tuxera's security advisory, this is a heap-based buffer overflow. In the ntfs-3g binary, which is executed with SUID-root, attackers can provoke the buffer overflow in the ntfs_build_permissions_posix() function with a carefully crafted NTFS image, the programmers explain. The error occurs during read access when processing security descriptors that contain multiple “access denied” entries with the content “WRITE_OWNER” from different group security identifiers (SID) (CVE-2026-40706, CVSS 7.8, Risk “high”).
The developers further explain that malicious actors have control over the size of the overflow, from 8 to over 14,000 bytes. They can also, in part, write controlled data into memory behind the allocated heap. This, in turn, interferes with glibc heap data. They do not explicitly state it, but the severity of the vulnerability also indicates this: attackers can thus inject code and run it with root privileges from SUID.
Corrected Source Code
Tuxera released corrected sources this Tuesday. They bring NTFS-3G up to version 2026.2.25 – previously, version 2022.10.3 from 2022 was current. The release notes list numerous smaller bug fixes. These range from typos in messages to crash bugs.
Videos by heise
If the driver cannot be updated immediately, proposed countermeasures can be implemented. Disabling ACLs in the build configuration followed by a rebuild and reinstall helps, according to the developers, or forcing the deactivation of user mapping followed by unmount and mount with the option -ousermapping= set. Additionally, deleting the file “.NTFS-3G/UserMapping” for all mounted NTFS volumes and then unmounting and remounting the images should provide a solution. If you can rely on your distribution's package manager, Debian is already providing patched packages for all stable releases via the security channel, and Ubuntu has also followed with backports of the security update.
Meanwhile, there are alternative NTFS drivers that run in the Linux kernel and are said to be more performant. Last October, developer Namjae Jeon, for example, presented “ntfsplus.”
(dmk)
