Join the Cyber Forum: Threat Intel on May 12, 2026 to learn how AI is reshaping threat defense.Join the Virtual Cyber Forum: Threat IntelRegister Now
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2021-46790

CVE-2021-46790: Tuxera NTFS-3G Buffer Overflow Flaw

CVE-2021-46790 is a heap-based buffer overflow vulnerability in Tuxera NTFS-3G's ntfsck utility that can compromise system security. This article covers the technical details, affected versions, security impact, and mitigation.

Published: February 25, 2026

CVE-2021-46790 Overview

CVE-2021-46790 is a heap-based buffer overflow vulnerability affecting the ntfsck utility in NTFS-3G through version 2021.8.22. The vulnerability involves improper memory handling at buffer+512*3-2, which can lead to memory corruption when processing malformed NTFS file systems. While the upstream maintainer has deprecated ntfsck, the utility continues to be shipped by several major Linux distributions, making this vulnerability relevant for enterprise Linux environments.

Critical Impact

Local attackers with low privileges can exploit this heap-based buffer overflow to potentially achieve arbitrary code execution, leading to complete system compromise with high confidentiality, integrity, and availability impact.

Affected Products

  • Tuxera NTFS-3G through version 2021.8.22
  • Debian Linux 10.0 and 11.0
  • Fedora 35 and 36

Discovery Timeline

  • 2022-05-02 - CVE-2021-46790 published to NVD
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2021-46790

Vulnerability Analysis

This vulnerability is classified as CWE-787 (Out-of-Bounds Write), a category of memory corruption flaws where software writes data past the boundaries of allocated memory. In the context of ntfsck, the heap-based buffer overflow occurs during file system checking operations when processing NTFS metadata structures.

The vulnerable code path involves buffer arithmetic using the expression buffer+512*3-2, suggesting the issue relates to NTFS sector or cluster boundary calculations. When ntfsck processes a specially crafted NTFS file system image, it fails to properly validate input boundaries before writing to the heap-allocated buffer, allowing an attacker to corrupt adjacent memory regions.

Successful exploitation requires local access to the system and the ability to provide a malicious NTFS file system image to the ntfsck utility. This could occur when mounting untrusted USB drives or processing NTFS images from external sources.

Root Cause

The root cause is insufficient bounds checking in the ntfsck utility when handling NTFS file system structures. The buffer calculation buffer+512*3-2 indicates the code operates on sector-sized blocks (512 bytes) but fails to verify that write operations remain within allocated buffer boundaries. This allows specially crafted NTFS metadata to trigger writes beyond the heap buffer's allocated size.

Attack Vector

The attack requires local access to the target system. An attacker must provide a malicious NTFS file system image that triggers the vulnerable code path in ntfsck. This could be achieved through:

  1. Physical access to insert a malicious USB drive containing a crafted NTFS partition
  2. Tricking a user into running ntfsck on a downloaded disk image
  3. Exploiting automated file system checking routines that process external storage

The vulnerability manifests in the NTFS file system checking routines where sector boundary calculations are performed. When ntfsck processes NTFS metadata structures, the buffer+512*3-2 arithmetic can result in heap memory corruption if the input file system contains malformed structures that cause the write offset to exceed buffer boundaries.

For detailed technical information about this vulnerability, refer to the GitHub Issue on NTFS-3G and the Openwall OSS Security Update.

Detection Methods for CVE-2021-46790

Indicators of Compromise

  • Unexpected crashes or segmentation faults in the ntfsck process
  • Core dumps generated during NTFS file system checking operations
  • Suspicious NTFS disk images or external storage devices with unusual metadata structures
  • Memory access violations logged by system monitoring tools during ntfsck execution

Detection Strategies

  • Monitor for abnormal ntfsck process behavior including crashes, unexpected termination, or high memory usage
  • Implement file integrity monitoring on NTFS-3G binaries to detect unauthorized modifications
  • Use memory corruption detection tools such as AddressSanitizer (ASan) when testing NTFS file systems from untrusted sources
  • Deploy endpoint detection and response (EDR) solutions to identify exploitation attempts targeting NTFS-3G utilities

Monitoring Recommendations

  • Configure system logging to capture ntfsck invocations and their parameters
  • Enable kernel auditing for file system operations involving external storage media
  • Monitor for privilege escalation attempts following NTFS file system mounting operations
  • Implement alerts for repeated ntfsck crashes which may indicate exploitation attempts

How to Mitigate CVE-2021-46790

Immediate Actions Required

  • Update NTFS-3G to the latest available version in your distribution's package repository
  • Avoid using the deprecated ntfsck utility on untrusted NTFS file systems
  • Apply distribution-specific security patches from Debian and Fedora advisories
  • Restrict execution of ntfsck to trusted administrators only

Patch Information

Security updates addressing CVE-2021-46790 have been released by multiple Linux distributions. Debian users should refer to Debian Security Advisory DSA-5160 for patching instructions. Fedora users can obtain updated packages through the standard package management system as announced in the Fedora Package Announcements.

Note that upstream considers ntfsck deprecated. Organizations should evaluate whether they require this utility and consider removing it entirely if not needed.

Workarounds

  • Remove or disable the ntfsck binary if NTFS file system checking functionality is not required
  • Use alternative methods for NTFS file system validation that do not rely on the vulnerable utility
  • Implement strict access controls to prevent unprivileged users from invoking ntfsck
  • Process only trusted NTFS file systems and avoid mounting or checking external media from unknown sources
bash
# Remove or restrict ntfsck access
sudo chmod 700 /usr/bin/ntfsck
# Or remove the utility entirely if not needed
sudo rm /usr/bin/ntfsck

# Update NTFS-3G on Debian/Ubuntu
sudo apt update && sudo apt upgrade ntfs-3g

# Update NTFS-3G on Fedora
sudo dnf update ntfs-3g

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeBuffer Overflow
  • Vendor/TechTuxera Ntfs 3g
  • SeverityHIGH
  • CVSS Score7.8
  • EPSS Probability0.04%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-787
  • Technical References
  • Openwall OSS Security Update
  • GitHub Issue on NTFS-3G
  • Fedora Package Announcement
  • Fedora Package Announcement
  • Fedora Package Announcement
  • Fedora Package Announcement
  • Debian Security Advisory DSA-5160
  • Latest CVEs
  • CVE-2026-40322: SiYuan Knowledge Management RCE Vulnerability
  • CVE-2026-40318: SiYuan Path Traversal Vulnerability
  • CVE-2026-40259: SiYuan Auth Bypass Vulnerability
  • CVE-2026-40255: AdonisJS HTTP Server CSRF Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English