Login Sign Up

CVE-2022-30786

7.8 HIGH
Denial of Service Buffer Overflow

📋 TL;DR

CVE-2022-30786 is a heap-based buffer overflow vulnerability in NTFS-3G's ntfs_names_full_collate function that allows attackers to execute arbitrary code or cause denial of service by mounting a specially crafted NTFS image. This affects systems using NTFS-3G for NTFS filesystem access, particularly Linux/Unix systems that mount NTFS drives. The vulnerability requires local access to mount malicious NTFS images.

💻 Affected Systems

Products:
  • NTFS-3G
Versions: All versions through 2021.8.22
Operating Systems: Linux, Unix-like systems, macOS (via FUSE), BSD variants
Default Config Vulnerable: ⚠️ Yes
Notes: Only vulnerable when NTFS-3G is installed and used to mount NTFS filesystems. Systems without NTFS-3G or that don't mount NTFS are not affected.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Ntfs 3g by Tuxera

View all CVEs affecting Ntfs 3g →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise via arbitrary code execution with the privileges of the user mounting the NTFS image, potentially leading to root access if mounted by privileged users.

🟠

Likely Case

Denial of service (system crash) or limited code execution within the context of the mounting user's permissions.

🟢

If Mitigated

No impact if systems don't mount untrusted NTFS images or have updated NTFS-3G.

🌐 Internet-Facing: LOW - Requires mounting local NTFS images, not directly exploitable over network.
🏢 Internal Only: MEDIUM - Internal users with ability to mount NTFS images could exploit this, but requires specific action (mounting crafted image).

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires local access to mount a crafted NTFS image. Proof-of-concept code is available in public advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2021.8.23 and later

Vendor Advisory: https://github.com/tuxera/ntfs-3g/security/advisories/GHSA-xchm-ph5h-hw4x

Restart Required: No

Instructions:

1. Update NTFS-3G to version 2021.8.23 or later using your distribution's package manager. 2. For Debian/Ubuntu: sudo apt update && sudo apt install ntfs-3g. 3. For RHEL/CentOS/Fedora: sudo yum update ntfs-3g or sudo dnf update ntfs-3g. 4. For source installations: Download latest from https://github.com/tuxera/ntfs-3g and compile.

🔧 Temporary Workarounds

Disable NTFS mounting

linux

Prevent mounting of NTFS filesystems to eliminate attack surface

sudo rmmod fuse
sudo chmod 000 /sbin/mount.ntfs
sudo chmod 000 /usr/bin/ntfs-3g

Mount NTFS as read-only

linux

Mount NTFS filesystems with read-only option to prevent exploitation

mount -t ntfs-3g -o ro /dev/sdX1 /mnt/ntfs

🧯 If You Can't Patch

  • Restrict NTFS mounting to trusted users only via sudoers or similar access controls
  • Implement strict controls on what NTFS images can be mounted (whitelist trusted sources only)

🔍 How to Verify

Check if Vulnerable:

Check NTFS-3G version: ntfs-3g --version | head -1. If version is 2021.8.22 or earlier, system is vulnerable.

Check Version:

ntfs-3g --version | head -1

Verify Fix Applied:

After update, verify version is 2021.8.23 or later: ntfs-3g --version | head -1

📡 Detection & Monitoring

Log Indicators:

  • Kernel logs showing NTFS-3G crashes
  • System logs with mount failures for NTFS filesystems
  • Unexpected process termination of mount.ntfs or ntfs-3g

Network Indicators:

  • No network indicators - this is a local filesystem vulnerability

SIEM Query:

Process termination: (process_name="mount.ntfs" OR process_name="ntfs-3g") AND termination_type="crash"

📊 Metadata

CVE ID: CVE-2022-30786
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: May 26, 2022
Last Updated: December 2, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-30786, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)