CVE-2021-33285

Advisory lineage Upstream: 0 Downstream: 13
Modified
Published: 07 Sept 2021, 00:00
Last modified:03 Dec 2025, 14:52

Vulnerability Summary

Overall Risk (default)
medium
31/100
CVSS Score
7.8 HIGH
v3.1 (nvd)
EPSS Score
0.04% LOW
0% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

07 Sept 2021, 00:00
Published
Vulnerability first disclosed
03 Dec 2025, 14:52
Last Modified
Vulnerability information updated

Description

In NTFS-3G versions < 2021.8.22, when a specially crafted NTFS attribute is supplied to the function ntfs_get_attribute_value, a heap buffer overflow can occur allowing for memory disclosure or denial of service. The vulnerability is caused by an out-of-bound buffer access which can be triggered by mounting a crafted ntfs partition. The root cause is a missing consistency check after reading an MFT record : the "bytes_in_use" field should be less than the "bytes_allocated" field. When it is not, the parsing of the records proceeds into the wild.

CVSS Metrics

  • v3.1MEDIUMScore: 6.7CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
  • v3.1HIGHScore: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • v2.0MEDIUMScore: 6.9AV:L/AC:M/Au:N/C:C/I:C/A:C

EPSS Trends

Current EPSS score: 0.04% Percentile: 11%

Techniques & Countermeasures

  • CWE-787Out-of-bounds Write

    The product writes data past the end, or before the beginning, of the intended buffer.

  • CWE-20Improper Input Validation

    The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Affected Systems

  • debiandebian_linux

    9.0 | 10.0 | 11.0

  • fedoraprojectfedora

    33 | 34 | 35

  • redhatenterprise_linux

    7.0 | 8.0

  • tuxerantfs-3g

    < 2021.8.22

References (10)