[SECURITY] [DLA 4544-1] ntfs-3g security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 4544-1] ntfs-3g security update
From: Thorsten Alteholz <debian@alteholz.de>
Date: Tue, 21 Apr 2026 15:31:44 +0000 (UTC)
Message-id: <[🔎] ba9fa44f-a93f-f7-982c-38239cfbcd8d@alteholz.de>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4544-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                    Thorsten Alteholz
April 21, 2026                                https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : ntfs-3g
Version        : 1:2017.3.23AR.3-4+deb11u5
CVE ID         : CVE-2026-40706


Andrea Bocchetti discovered a heap-based buffer overflow in NTFS-3G, a
read-write NTFS driver for FUSE. A local user can take advantage of this
flaw for local root privilege escalation.


For Debian 11 bullseye, this problem has been fixed in version
1:2017.3.23AR.3-4+deb11u5.

We recommend that you upgrade your ntfs-3g packages.

For the detailed security status of ntfs-3g please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ntfs-3g

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmnnmGBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7
WEcq3A//Ud65ehCM1nLWMwtUoTZ4KxGkuqDy/CvX9WbhydQCJT+pKpkleHbgtxqU
PNo2cDWLih75TGl3ohOoTQUWg+vcK+rbnOioE10tMUQ04Bz5exhnTqOTZdgkpvOt
vZXIXx5N81GVTqUhlLFnC9dS6z3kP+jmDqUymic69rZFFPKkfUTLYSiI9XQQ/1Xh
h7Pq2azyHhMhyMkeuubUQjyzvc6FDqGG29uWEzq8YTf1pKo5AFXHYV0tRY5lZwoK
H03sI4tSKjz9xn6b7TH0PqsC4kXCMzNkFMPjNZ4IISMAheWHawJvmqzQUIkzpMXJ
TvcoebV1p6lrwZzLO+XHw4breE7oXSsLhe2OjMswmq5FnTJeMhx57bxTRs+m37yu
DSKEFFHo2y6MDnhpg3uRKTMnAm0kVBVfnqahkgsyVK3685M2srDQfdvrRW+pUjsx
BQNpECGuLCniEKexSpeZbBdFYsivowP3uylt+JYtTic0nv7AypuPfLd3NXsURzvA
80K8loquKDmV9C46cfZw5QLxJIXYw9ngPj3cEVjt9lHWLTVGaITL9hmfK6HnAoz0
Z3IKGoLYjEeXcJqaulmohC3Fd40oapmjU54kGSKqxXQjYmxDnws3jpsqOf1KvmwT
PdU4LCNk8SFecpfdEtdLfAWr9DEbAgWKxPf6uaVCHcsF6dWyvmw=
=DXtf
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 4543-1] simpleeval security update
Next by Date: [SECURITY] [DLA 4523-1] python-geopandas security update
Previous by thread: [SECURITY] [DLA 4543-1] simpleeval security update
Next by thread: [SECURITY] [DLA 4523-1] python-geopandas security update
Index(es):
- Date
- Thread