NTFS-3G 2026.7.7 Update Fixes 9 Vulnerabilities

Published release of the NTFS-3G 2026.7.7 package, which includes a free driver running in user space using the FUSE mechanism and a set of utilities ntfsprogs for manipulating NTFS partitions. The project code is distributed under the GPLv2 license. The latest version addresses 9 vulnerabilities that could potentially lead to code execution with root privileges when processing specially crafted NTFS partitions or disk images.

  • CVE-2026-46569 – a buffer overflow in the ntfs_ib_copy_tail() function, which could allow an attacker to execute code with root privileges by creating a file in a specially designed directory after mounting a modified NTFS image.
  • CVE-2026-42617 – a buffer overflow in the ntfs_ir_to_ib() function, leading to potential code execution as root by creating a file in a directory after mounting a specially modified NTFS image.
  • CVE-2026-42618 – a buffer overflow in the ntfs_decompress() function, which could result in code execution with root privileges when reading a specially crafted file after mounting a modified NTFS image.
  • CVE-2026-46570 – a buffer overflow in the ntfs_index_walk_down() function, potentially leading to code execution as root when accessing file metadata after mounting a manipulated NTFS image.
/Reports, release notes, official announcements.