Login Sign Up

CVE-2022-30784

7.8 HIGH
Denial of Service Buffer Overflow

📋 TL;DR

This vulnerability in NTFS-3G allows a specially crafted NTFS filesystem image to trigger heap exhaustion via the ntfs_get_attribute_value function, potentially causing denial of service. Systems using NTFS-3G to mount or access NTFS filesystems are affected, particularly Linux/Unix systems that need NTFS compatibility.

💻 Affected Systems

Products:
  • NTFS-3G
Versions: All versions through 2021.8.22
Operating Systems: Linux, Unix-like systems, macOS (via FUSE), BSD variants
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems with NTFS-3G installed and when mounting NTFS filesystems. Not applicable to native Windows NTFS handling.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Ntfs 3g by Tuxera

View all CVEs affecting Ntfs 3g →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system crash or unavailability due to heap exhaustion, potentially requiring reboot and causing data loss or corruption.

🟠

Likely Case

Application or service crash when processing malicious NTFS images, leading to temporary denial of service for affected processes.

🟢

If Mitigated

Limited impact with proper access controls preventing untrusted NTFS images from being mounted.

🌐 Internet-Facing: LOW - Requires mounting malicious NTFS filesystems, unlikely via typical internet-facing services.
🏢 Internal Only: MEDIUM - Internal users could mount malicious NTFS images via USB drives or network shares.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires mounting a malicious NTFS image, which typically requires some level of access or user interaction.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2021.8.23 and later

Vendor Advisory: https://github.com/tuxera/ntfs-3g/security/advisories/GHSA-xchm-ph5h-hw4x

Restart Required: No

Instructions:

1. Update NTFS-3G package using system package manager. 2. For Linux: 'sudo apt update && sudo apt upgrade ntfs-3g' (Debian/Ubuntu) or 'sudo yum update ntfs-3g' (RHEL/CentOS). 3. For source installations: Download latest from GitHub and recompile.

🔧 Temporary Workarounds

Restrict NTFS mounting

linux

Prevent mounting of untrusted NTFS filesystems via permissions or policies.

sudo chmod 700 /bin/mount
sudo chmod 700 /sbin/mount.ntfs-3g

Disable NTFS-3G FUSE module

linux

Temporarily disable NTFS-3G if not needed.

sudo modprobe -r fuse
echo 'blacklist fuse' | sudo tee /etc/modprobe.d/blacklist-fuse.conf

🧯 If You Can't Patch

  • Avoid mounting untrusted NTFS filesystems from unknown sources.
  • Implement strict access controls on mount utilities and filesystem operations.

🔍 How to Verify

Check if Vulnerable:

Check NTFS-3G version: 'ntfs-3g --version' or 'dpkg -l | grep ntfs-3g' or 'rpm -q ntfs-3g'.

Check Version:

ntfs-3g --version | head -1

Verify Fix Applied:

Confirm version is 2021.8.23 or higher using version check command.

📡 Detection & Monitoring

Log Indicators:

  • Kernel logs showing 'out of memory' or process crashes related to mount/ntfs-3g
  • System logs with mount failures or filesystem errors

Network Indicators:

  • Unusual network file transfers of NTFS images
  • SMB/NFS requests for NTFS filesystem mounting

SIEM Query:

Process:name="mount" AND CommandLine:"ntfs" OR Process:name="ntfs-3g" AND EventID:1000 (Application Crash)

📊 Metadata

CVE ID: CVE-2022-30784
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-120
Published: May 26, 2022
Last Updated: December 2, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-30784, you might also want to check these:

CVE-2023-24482 10.0

This CVE describes a critical buffer overflow vulnerability in COMOS software's cache validation ser...

Same vulnerability type (CWE-120)
CVE-2024-22039 10.0

This vulnerability allows unauthenticated remote attackers to execute arbitrary code with root privi...

Same vulnerability type (CWE-120)
CVE-2022-22570 10.0

A buffer overflow vulnerability in UniFi Door Access Reader Lite firmware allows attackers with netw...

Same vulnerability type (CWE-120)