CVE-2022-30787 in NTFS-3G
Summary
by MITRE • 05/26/2022
An integer underflow in fuse_lib_readdir enables arbitrary memory read operations in NTFS-3G through 2021.8.22 when using libfuse-lite.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/01/2026
The vulnerability CVE-2022-30787 represents a critical integer underflow condition within the NTFS-3G filesystem driver that operates through the FUSE (Filesystem in Userspace) framework. This flaw specifically manifests in the fuse_lib_readdir function which handles directory reading operations, creating a scenario where malicious input can cause integer underflow conditions that subsequently enable arbitrary memory read access. The vulnerability affects NTFS-3G versions up to and including 2021.8.22 when utilized with libfuse-lite, making it particularly concerning for systems that rely on FUSE-based filesystem implementations. The underlying issue stems from inadequate input validation and boundary checking within the directory listing functionality, allowing attackers to manipulate the size parameters passed to the read operations.
The technical exploitation of this vulnerability occurs through carefully crafted directory listing requests that trigger the integer underflow condition in the fuse_lib_readdir function. When the integer underflow occurs, it creates a scenario where the buffer size calculation becomes negative or unexpectedly small, leading to memory access patterns that can be manipulated to read arbitrary memory locations. This type of vulnerability falls under the CWE-190 category of Integer Overflow or Wraparound, specifically manifesting as an integer underflow condition that enables memory corruption and unauthorized data access. The flaw is particularly dangerous because it operates at the filesystem level where it can potentially access sensitive kernel memory regions or user data, depending on the system configuration and memory layout.
The operational impact of CVE-2022-30787 extends beyond simple data read access, as it represents a potential pathway for privilege escalation and information disclosure attacks. Attackers can leverage this vulnerability to extract sensitive information from memory, potentially including authentication credentials, cryptographic keys, or other confidential data stored in memory regions accessible through the filesystem interface. Systems utilizing NTFS-3G with libfuse-lite are particularly at risk when running FUSE-based services or when users have access to mount NTFS volumes through FUSE interfaces. The vulnerability can be exploited in both local and remote scenarios, depending on the system configuration and attack surface, making it a significant concern for enterprise environments and cloud deployments where NTFS filesystems are mounted through FUSE interfaces.
Mitigation strategies for CVE-2022-30787 should prioritize immediate patching of affected NTFS-3G versions to the latest releases that contain the necessary fixes for the integer underflow condition. Organizations should also implement network segmentation and access controls to limit exposure of systems running vulnerable FUSE-based filesystem implementations. The remediation process should include thorough testing of updated NTFS-3G versions to ensure compatibility with existing FUSE-based applications and services. Security monitoring should be enhanced to detect unusual directory listing patterns that might indicate exploitation attempts, while system administrators should consider implementing additional security controls such as mandatory access controls and privilege separation mechanisms. From an ATT&CK framework perspective, this vulnerability maps to techniques involving privilege escalation and credential access, making it a critical target for security hardening efforts and incident response planning.