CVE-2021-39251: 
Alma Linux vulnerability analysis and mitigation

A NULL pointer dereference vulnerability was discovered in NTFS-3G versions prior to 2021.8.22, specifically in the ntfsextentinode_open function. This vulnerability was part of a larger security advisory (NTFS3G-SA-2021-0001) that included multiple security issues affecting the NTFS-3G and NTFSPROGS software. The vulnerability was discovered and reported by security researchers Jeremy Galindo, Akshay Ajayan, Kyle Zeng, and Fish Wang (Openwall OSS).

The vulnerability occurs when processing a crafted NTFS image that can trigger a NULL pointer dereference in the ntfsextentinode_open function. The issue was assigned a moderate severity rating with CVSS scores ranging from 3.9 to 6.7. The vulnerability was part of a broader set of security issues that could potentially allow for privilege escalation under specific conditions (GitHub Advisory).

The vulnerability could be exploited if an attacker has either local access and the ntfs-3g binary is setuid root, or if the attacker has physical access to an external port on a computer configured to run the ntfs-3g binary or ntfsprogs tools when external storage is connected. This could potentially lead to local root privilege escalation (Debian Security, Openwall OSS).

No workarounds were available for this vulnerability. The only solution was to upgrade to NTFS-3G version 2021.8.22 or later. Various Linux distributions released security updates to address this issue, including Debian (versions 1:2017.3.23AR.3-4+deb11u1 for bullseye and 1:2017.3.23AR.3-3+deb10u1 for buster), Fedora, and Gentoo (Debian Security, Gentoo Security).