CVE-2022-40284

Summary

CVE	CVE-2022-40284
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2022-11-06 23:15:00 UTC
Updated	2023-11-07 03:52:00 UTC
Description	A buffer overflow was discovered in NTFS-3G before 2022.10.3. Crafted metadata in an NTFS image can cause code execution. A local attacker can exploit this if the ntfs-3g binary is setuid root. A physically proximate attacker can exploit this if NTFS-3G software is configured to execute upon attachment of an external storage device.

Risk And Classification

Problem Types: CWE-120

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Debian	Debian Linux	10.0	All	All	All
Operating System	Fedoraproject	Fedora	35	All	All	All
Operating System	Fedoraproject	Fedora	36	All	All	All
Operating System	Fedoraproject	Fedora	37	All	All	All
Application	Tuxera	Ntfs-3g	All	All	All	All

References

Reference	Source	Link	Tags
[SECURITY] Fedora 37 Update: ntfs-3g-2022.10.3-1.fc37 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
oss-security - OPEN SOURCE NTFS-3G SECURITY ADVISORY NTFS3G-SA-2022-0003	MISC	www.openwall.com
[SECURITY] [DLA 3201-1] ntfs-3g security update	MLIST	lists.debian.org
[SECURITY] Fedora 37 Update: ntfs-3g-2022.10.3-1.fc37 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
Releases · tuxera/ntfs-3g · GitHub	MISC	github.com
[SECURITY] Fedora 36 Update: ntfs-3g-2022.10.3-1.fc36 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
[SECURITY] Fedora 35 Update: ntfs-3g-2022.10.3-1.fc35 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
[SECURITY] Fedora 35 Update: ntfs-3g-2022.10.3-1.fc35 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
[SECURITY] Fedora 36 Update: ntfs-3g-2022.10.3-1.fc36 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
NTFS-3G: Multiple Vulnerabilities (GLSA 202301-01) — Gentoo security	GENTOO	security.gentoo.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

160935 Oracle Enterprise Linux Security Update for virt:ol and virt-devel:rhel (ELSA-2023-5264)
161030 Oracle Enterprise Linux Security Update for libguestfs-winsupport (ELSA-2023-6167)
181189 Debian Security Update for ntfs-3g (DSA 5270-1)
181566 Debian Security Update for ntfs-3g (DLA 3201-1)
181891 Debian Security Update for ntfs-3g (CVE-2022-40284)
199015 Ubuntu Security Notification for NTFS-3G Vulnerability (USN-5711-1)
242071 Red Hat Update for virt:rhel and virt-devel:rhel (RHSA-2023:5264)
242077 Red Hat Update for virt:rhel and virt-devel:rhel (RHSA-2023:5239)
242144 Red Hat Update for virt:rhel (RHSA-2023:5587)
242190 Red Hat Update for virt:rhel (RHSA-2023:5796)
242248 Red Hat Update for libguestfs-winsupport (RHSA-2023:6168)
242352 Red Hat Update for libguestfs-winsupport (RHSA-2023:6167)
242861 Red Hat Update for virt:rhel and virt-devel:rhel (RHSA-2024:0404)
283373 Fedora Security Update for ntfs (FEDORA-2022-4915124227)
283374 Fedora Security Update for ntfs (FEDORA-2022-14f11bfc73)
284293 Fedora Security Update for ntfs (FEDORA-2022-243616c548)
378927 Alibaba Cloud Linux Security Update for virt:rhel and virt-devel:rhel (ALINUX3-SA-2023:0125)
502749 Alpine Linux Security Update for ntfs-3g
710698 Gentoo Linux NTFS-3G Multiple Vulnerabilities (GLSA 202301-01)
752760 SUSE Enterprise Linux Security Update for ntfs-3g_ntfsprogs (SUSE-SU-2022:3865-1)
904481 Common Base Linux Mariner (CBL-Mariner) Security Update for ntfs-3g (11388)
904641 Common Base Linux Mariner (CBL-Mariner) Security Update for ntfs-3g (11388-1)
941271 AlmaLinux Security Update for virt:rhel and virt-devel:rhel (ALSA-2023:5264)
941331 AlmaLinux Security Update for libguestfs-winsupport (ALSA-2023:6167)