CVE-2022-30788

Description

A crafted NTFS image can cause a heap-based buffer overflow in ntfs_mft_rec_alloc in NTFS-3G through 2021.8.22.

CVSS Metrics

• v3.1•MEDIUM•Score: 6.7CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
• v3.1•HIGH•Score: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
• v2.0•MEDIUM•Score: 4.6AV:L/AC:L/Au:N/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 0.03%• Percentile: 9%

Techniques & Countermeasures

• CWE-787•Out-of-bounds Write

  The product writes data past the end, or before the beginning, of the intended buffer.

• CWE-20•Improper Input Validation

  The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Affected Systems

• debian•debian_linux

  9.0 | 10.0 | 11.0

• fedoraproject•fedora

  35 | 36

• tuxera•ntfs-3g

  ≤ 2021.8.22

References (9)

• https://github.com/tuxera/ntfs-3g/releases
• https://github.com/tuxera/ntfs-3g/security/advisories/GHSA-xchm-ph5h-hw4x
• https://www.debian.org/security/2022/dsa-5160
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7JPX6OUCQKZX4PN5DQPVDUFZCOOZUX7Z/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ECDCISL24TYH4CTDFCUVF24WAKRSYF7F/
• https://lists.debian.org/debian-lts-announce/2022/06/msg00017.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FAXFYIJWT5SHHRNPOJETM77EIMJ6ZP6I/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEXHDCUSLJD2HSPMAAVZ5AWMPUOG6UI7/
• https://security.gentoo.org/glsa/202301-01