CVE-2026-8274
Path Traversal in cramfs-tools Directory Handler
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| npitre | cramfs-tools | to 2.2 (exc) |
| npitre | cramfs-tools | 2.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-8274 is a security vulnerability in the cramfs-tools package, specifically in the cramfsck utility used to extract CramFS filesystem images. The vulnerability arises because cramfsck does not properly validate directory entry names when extracting files. An attacker can craft a malicious CramFS image containing directory entry names with path traversal sequences such as "../pwn". When extracted, these names cause files to be written outside the intended extraction directory, enabling arbitrary file writes on the host system.
The root cause is that cramfsck directly appends raw directory entry names from the CramFS image to the extraction path without checking for path separators or parent directory references. This allows path traversal attacks from a local environment.
The vulnerability was fixed in version 2.2 of cramfs-tools by adding checks to reject directory entry names containing slashes, dots, or double dots, preventing path traversal during extraction.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized file creation or overwriting outside the intended extraction directory when processing malicious CramFS images. An attacker with local access can exploit this to write arbitrary files anywhere on the filesystem where the extraction is performed.
Such arbitrary file writes can potentially lead to system compromise, especially in automated environments or pipelines that process untrusted CramFS images, by overwriting critical files or placing malicious executables.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to extract a crafted CramFS image using the vulnerable cramfsck tool and observing if files are written outside the intended extraction directory due to path traversal in directory entry names.
A proof-of-concept involves creating a malicious CramFS image with directory entry names containing path traversal sequences such as "../pwn" and then extracting it with the command:
cramfsck -x <malicious_image>
If the extraction writes files outside the target directory (e.g., creates a file named "pwn" outside the extraction folder), the system is vulnerable.
Detection can also involve inspecting directory entry names in CramFS images for suspicious characters like slashes or double dots that indicate path traversal attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade cramfs-tools to version 2.2 or later, which includes a patch that rejects directory entry names containing path traversal characters such as slashes and dots.
This update adds validation in the extraction process to abort if directory entry names are ".", "..", or contain "/", preventing path traversal attacks.
Until the upgrade can be applied, avoid extracting untrusted or suspicious CramFS images using vulnerable versions of cramfsck.
Additionally, treat all directory entry names as untrusted input and consider implementing manual checks or sandboxed extraction environments to limit potential damage.