CVE-2026-20840
ntfs.sys -- heap-based buffer overflow from unvalidated NTFS volume metadata
Summary
| Field | Value |
|---|---|
| Driver | ntfs.sys |
| Vulnerability Class | Buffer Overflow (Heap) |
| CVSS | 7.8 |
| Exploited ITW | No |
| Patch Date | January 13, 2026 |
Context
The NTFS driver continues to be a kernel attack surface that rewards simple corruption. This CVE, patched alongside CVE-2026-20922, represents the sixth and seventh NTFS CVEs in the KernelSight corpus. The NTFS Deep Dive documents how the VHD auto-mount path gives any user the ability to feed attacker-controlled on-disk structures directly to the kernel's NTFS parser. Three earlier NTFS CVEs (CVE-2025-24984, CVE-2025-24991, CVE-2025-24993) were exploited in the wild through this exact delivery mechanism.
Root Cause
A heap-based buffer overflow in the NTFS driver occurs when processing crafted NTFS volume metadata. The driver reads attribute records from the Master File Table (MFT) and allocates kernel pool buffers to hold parsed data. When an MFT attribute contains a length field that does not match the actual data size, the driver allocates a buffer based on one value and copies data based on another. The mismatch overflows the heap buffer.
This is the same class of bug as CVE-2025-24993, which was exploited in the wild via a crafted VHD. The difference is which specific attribute parsing code path is involved.
Exploitation
The attacker crafts an NTFS volume with corrupted MFT attribute records and packages it in a VHD or VHDX file. When the target user mounts the VHD (by double-clicking it or through auto-mount), the kernel's NTFS parser processes the corrupted metadata. The heap overflow corrupts adjacent kernel pool objects. Pool spraying places controlled objects in the adjacent slots, and the corruption yields a kernel write primitive or code execution.
Exploitation Primitive
Crafted NTFS volume --> metadata parsing --> heap buffer overflow
--> adjacent object corruption --> code execution
Broader Significance
CVE-2026-20840 reinforces the structural problem with NTFS metadata parsing: the kernel parses untrusted on-disk structures directly, with no sandboxing layer and no pre-validation in user mode. Each patch fixes one parsing path, but the MFT contains dozens of attribute types, each with its own parsing logic. The attack surface is proportional to the complexity of the NTFS format specification, which is substantial.