35412 – ntfs-3g new security issue CVE-2026-40706

Bug 35412 - ntfs-3g new security issue CVE-2026-40706

Summary: ntfs-3g new security issue CVE-2026-40706

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2026-04-27 11:32 CEST by Nicolas Salguero
Modified:	2026-05-07 07:09 CEST (History)
CC List:	3 users (show)

See Also:
Source RPM:	ntfs-3g-2022.10.3-1.1.mga9.src.rpm
CVE:	CVE-2026-40706
Status comment:

Flags:	mageia: test_passed_mga9_64+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2026-04-27 11:32:50 CEST

Debian has issued an advisory on April 21:
https://lists.debian.org/debian-security-announce/2026/msg00131.html

Nicolas Salguero 2026-04-27 11:33:26 CEST

Source RPM: (none) => ntfs-3g-2022.10.3-1.1.mga9.src.rpm
CVE: (none) => CVE-2026-40706
Status comment: (none) => Patch available from Debian

Comment 1 Nicolas Salguero 2026-04-27 14:00:05 CEST

Reference: https://www.openwall.com/lists/oss-security/2026/04/21/4

Comment 2 Nicolas Salguero 2026-04-28 09:46:24 CEST

Suggested advisory:
========================

The updated packages fix a security vulnerability:

In NTFS-3G 2022.10.3 before 2026.2.25, a heap buffer overflow exists in ntfs_build_permissions_posix() in acls.c that allows an attacker to corrupt heap memory in the SUID-root ntfs-3g binary by crafting a malicious NTFS image. The overflow is triggered on the READ path (stat, readdir, open) when processing a security descriptor with multiple ACCESS_DENIED ACEs containing WRITE_OWNER from distinct group SIDs. (CVE-2026-40706)

References:
https://www.openwall.com/lists/oss-security/2026/04/21/4
https://lists.debian.org/debian-security-announce/2026/msg00131.html
========================

Updated packages in core/updates_testing:
========================
lib(64)ntfs-3g89-2022.10.3-1.2.mga9
lib(64)ntfs-3g-devel-2022.10.3-1.2.mga9
ntfs-3g-2022.10.3-1.2.mga9

from SRPM:
ntfs-3g-2022.10.3-1.2.mga9.src.rpm

Status comment: Patch available from Debian => (none)
Status: NEW => ASSIGNED
Assignee: bugsquad => qa-bugs

katnatek 2026-04-29 03:31:46 CEST

Keywords: (none) => advisory

Comment 3 PC LX 2026-05-01 11:27:24 CEST

Installed and tested without issues.

Tested:
- with NTFS file systems from Windows 10 and Windows 11 VMs;
- with newly created NTFS file system;
- mount read-only and read-write;
- normal file operations;
- fsck.ntfs, ntfsls, ntfslabel, ntfscp, ntfscat, ntfscmp, ntfs-3g.probe;
- ntfsclone save and restore.
- after tests, booted Windows VMs and checked FS. No errors found.



System: Mageia 9, x86_64, Plasma DE, AMD Ryzen 5 5600G with Radeon Graphics using amggpu driver.



$ uname -a
Linux jupiter 6.6.130-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Thu Mar 26 01:48:01 UTC 2026 x86_64 GNU/Linux
$ rpm -qa | grep -P 'ntfs-3g.*2022.10.3-1.2'
lib64ntfs-3g89-2022.10.3-1.2.mga9
ntfs-3g-2022.10.3-1.2.mga9

CC: (none) => mageia

Comment 4 PC LX 2026-05-05 19:18:07 CEST

This update has been in use for about a week without issues so I'm giving it the OK for x86_64.

Whiteboard: (none) => MGA9-64-OK
Flags: (none) => test_passed_mga9_64+

Comment 5 Thomas Andrews 2026-05-06 22:57:15 CEST

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 6 Mageia Robot 2026-05-07 07:09:09 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2026-0118.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.