CVE-2021-39255: 
Alma Linux vulnerability analysis and mitigation

A crafted NTFS image can trigger an out-of-bounds read vulnerability in NTFS-3G versions prior to 2021.8.22, caused by an invalid attribute in ntfsattrfindinattrdef function (NVD, Ubuntu). The vulnerability was discovered and disclosed in August 2021, affecting all previous versions of open source NTFS-3G and NTFSPROGS software (Tuxera Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. This indicates a local attack vector with low attack complexity, requiring low privileges and no user interaction (NVD). The vulnerability is classified as CWE-125 (Out-of-bounds Read) and affects the core functionality of NTFS-3G's attribute handling system.

The vulnerability could potentially allow an attacker using a maliciously crafted NTFS-formatted image file or external storage to execute arbitrary privileged code. This is particularly critical if the attacker has local access and the ntfs-3g binary is setuid root, or if the attacker has physical access to an external port on a computer configured to run the ntfs-3g binary (Tuxera Advisory).

The recommended solution is to upgrade to NTFS-3G version 2021.8.22 or later. No alternative workarounds are available (Tuxera Advisory). Various distributions have released security updates to address this vulnerability, including Debian (Debian Advisory), Ubuntu (Ubuntu), and Gentoo (Gentoo Advisory).