CVE-2026-20922
ntfs.sys -- heap-based buffer overflow in NTFS volume metadata parsing
Summary
| Field | Value |
|---|---|
| Driver | ntfs.sys |
| Vulnerability Class | Buffer Overflow (Heap) |
| CVSS | 7.8 |
| Exploited ITW | No |
| Patch Date | January 13, 2026 |
Context
CVE-2026-20922 was patched alongside CVE-2026-20840 in January 2026, marking the second time Microsoft shipped two NTFS heap overflow patches in the same update cycle. The first paired NTFS patches landed in March 2025, when three ITW-exploited NTFS CVEs were disclosed simultaneously (CVE-2025-24984, CVE-2025-24991, CVE-2025-24993). The continued appearance of NTFS bugs indicates that the VHD auto-mount attack vector remains a productive fuzzing and exploitation target.
The NTFS Deep Dive provides full context on why NTFS keeps producing vulnerabilities: the kernel parses untrusted on-disk structures directly from user-supplied VHD images, with no sandboxing, and the format contains dozens of variable-length attribute types with embedded offsets and lengths.
Root Cause
Insufficient validation of metadata field sizes during NTFS volume metadata processing causes a heap-based buffer overflow. The driver reads attribute records from the MFT and allocates kernel pool buffers based on embedded size fields. When these fields are inconsistent with the actual data content, the driver writes past the end of the allocated buffer.
This is a variant of the same root cause as CVE-2025-24993 and CVE-2026-20840, occurring in a different attribute parsing code path within ntfs.sys.
Exploitation
The attacker provides a crafted NTFS volume packaged in a VHD or VHDX file, or on physical media. When the volume is mounted, the kernel's NTFS parser processes the corrupted metadata. The heap overflow corrupts adjacent kernel pool objects, and the attacker leverages the corruption for code execution.
The VHD delivery vector is particularly effective because double-clicking a VHD file in Explorer triggers kernel-mode NTFS parsing without any privilege requirements. The file can be delivered via email, web download, or removable storage.
Exploitation Primitive
Crafted NTFS volume --> metadata parsing --> heap buffer overflow
--> adjacent object corruption --> code execution
Broader Significance
Seven NTFS CVEs in two years, with three exploited in the wild, establishes ntfs.sys as a persistent kernel attack surface. The file system driver parses one of the most complex on-disk formats in Windows, and every attribute type represents a separate parsing code path that may harbor its own validation gaps. The VHD auto-mount delivery mechanism means these bugs are one double-click away from kernel code execution.