What is CVE-2026-40706?

CVE-2026-40706 is a high-severity vulnerability in Tuxera Ntfs-3g, classified under Heap-based Buffer Overflow. CVSS score: 8.4/10. Published 2026-04-21.

How severe is CVE-2026-40706?

High severity. CVSS v3 base score is 8.4 out of 10.

Buffer overflow in Tuxera Ntfs-3g

CVE-2026-40706

In NTFS-3G 2022.10.3 before 2026.2.25, a heap buffer overflow exists in ntfs_build_permissions_posix() in acls.c that allows an attacker to corrupt heap memory in the SUID-root ntfs-3g binary by crafting a malicious NTFS image. The overflo…

Vulnerability class: Buffer Overflow

EPSS: 0.000 (4.8th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.4 (High). Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

Tuxera Ntfs-3g — versions 2022.10.3

Weakness classification (CWE)

CWE-122 — Heap-based Buffer Overflow

References

github.com/tuxera/ntfs-3g/blob/d3ace19838ce37cfde55294e76841e6d2f393f9e/libntfs…
www.openwall.com/lists/oss-security/2026/04/21/4
github.com/tuxera/ntfs-3g/security/advisories/GHSA-4cwv-5285-63v9
github.com/tuxera/ntfs-3g/releases/tag/2026.2.25

Frequently asked questions

What is CVE-2026-40706?: CVE-2026-40706 is a high-severity vulnerability in Tuxera Ntfs-3g, classified under Heap-based Buffer Overflow. CVSS score: 8.4/10. Published 2026-04-21.
How severe is CVE-2026-40706?: High severity. CVSS v3 base score is 8.4 out of 10.