Your submission was sent successfully! Close

CVE-2022-40284

Published: 31 October 2022

A buffer overflow was discovered in NTFS-3G before 2022.10.3. Crafted metadata in an NTFS image can cause code execution. A local attacker can exploit this if the ntfs-3g binary is setuid root. A physically proximate attacker can exploit this if NTFS-3G software is configured to execute upon attachment of an external storage device.

Priority

Medium

CVSS 3 base score: 7.8

Status

Package Release Status
ntfs-3g
Launchpad, Ubuntu, Debian
bionic
Released (1:2017.3.23-2ubuntu0.18.04.5)
focal
Released (1:2017.3.23AR.3-3ubuntu1.3)
jammy
Released (1:2021.8.22-3ubuntu1.2)
kinetic
Released (1:2022.5.17-1ubuntu1.1)
trusty
Released (1:2013.1.13AR.1-2ubuntu2+esm4)
upstream Needs triage

xenial
Released (1:2015.3.14AR.1-1ubuntu0.3+esm4)
Patches:
upstream: https://github.com/tuxera/ntfs-3g/commit/18bfc676119a1188e8135287b8327b0760ba44a1
upstream: https://github.com/tuxera/ntfs-3g/commit/76c3a799a97fbcedeeeca57f598be508ae2a1656