CVE-2021-39257: 
Alma Linux vulnerability analysis and mitigation

A crafted NTFS image with an unallocated bitmap can lead to an endless recursive function call chain (starting from ntfsattrpwrite), causing stack consumption in NTFS-3G versions prior to 2021.8.22. This vulnerability was discovered and disclosed in August 2021, affecting the NTFS-3G driver, which is a read-write NTFS driver for FUSE (Debian Security, Ubuntu Security).

The vulnerability has been assigned a CVSS v3 score of 5.5 (Medium), with the following characteristics: Attack Vector: Local, Attack Complexity: Low, Privileges Required: Low, User Interaction: None, Scope: Unchanged, Confidentiality: None, Integrity: None, Availability: High. The technical issue stems from improper validation of NTFS metadata that could potentially cause buffer overflows when processing unallocated bitmaps (GitHub Advisory).

The vulnerability affects the availability of the system by causing stack consumption through an endless recursive function call chain. When exploited, this could lead to a denial of service condition. The impact is particularly significant when the ntfs-3g binary is running with elevated privileges (GitHub Advisory).

The vulnerability was patched in NTFS-3G version 2021.8.22. Users and administrators are strongly advised to upgrade to this version or later. Multiple distributions have released security updates to address this vulnerability, including Debian (version 1:2017.3.23AR.3-4+deb11u1), Ubuntu, and Gentoo (Debian Security, Gentoo Security).