CVE-2022-40284Classic Buffer Overflow in Ntfs-3g

CWE-120Classic Buffer OverflowCWE-119Improper Restriction of Operations within the Bounds of a Memory Buffer8 documents7 sources
Severity
7.8HIGHNVD
EPSS
0.0%
top 84.93%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Tuxera Ntfs-3gDebian LinuxFedoraproject Fedora
Timeline
PublishedNov 6
Latest updateNov 8

Description

A buffer overflow was discovered in NTFS-3G before 2022.10.3. Crafted metadata in an NTFS image can cause code execution. A local attacker can exploit this if the ntfs-3g binary is setuid root. A physically proximate attacker can exploit this if NTFS-3G software is configured to execute upon attachment of an external storage device.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

NVDtuxera/ntfs-3g< 2022.10.3
Debiantuxera/ntfs-3g< 1:2017.3.23AR.3-4+deb11u3+3

Also affects: Debian Linux 10.0, Fedora 35, 36, 37

🔴Vulnerability Details

2
OSV
CVE-2022-40284: A buffer overflow was discovered in NTFS-3G before 20222022-11-06
CVEList
CVE-2022-40284: A buffer overflow was discovered in NTFS-3G before 20222022-11-06

📋Vendor Advisories

5
Microsoft
A buffer overflow was discovered in NTFS-3G before 2022.10.3. Crafted metadata in an NTFS image can cause code execution. A local attacker can exploit this if the ntfs-3g binary is setuid root. A phys2022-11-08
Ubuntu
NTFS-3G vulnerability2022-11-03
Ubuntu
NTFS-3G vulnerability2022-11-02
Red Hat
NTFS-3G: buffer overflow issue in NTFS-3G can cause code execution via crafted metadata in an NTFS image2022-10-31
Debian
CVE-2022-40284: ntfs-3g - A buffer overflow was discovered in NTFS-3G before 2022.10.3. Crafted metadata i...2022
CVE-2022-40284 — Classic Buffer Overflow in Ntfs-3g | cvebase