Executive Summary

CVE-2026-8274 is a security vulnerability in the cramfs-tools package, specifically in the cramfsck utility used to extract CramFS filesystem images. The vulnerability arises because cramfsck does not properly validate directory entry names when extracting files. An attacker can craft a malicious CramFS image containing directory entry names with path traversal sequences such as "../pwn". When extracted, these names cause files to be written outside the intended extraction directory, enabling arbitrary file writes on the host system.

The root cause is that cramfsck directly appends raw directory entry names from the CramFS image to the extraction path without checking for path separators or parent directory references. This allows path traversal attacks from a local environment.

The vulnerability was fixed in version 2.2 of cramfs-tools by adding checks to reject directory entry names containing slashes, dots, or double dots, preventing path traversal during extraction.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized file creation or overwriting outside the intended extraction directory when processing malicious CramFS images. An attacker with local access can exploit this to write arbitrary files anywhere on the filesystem where the extraction is performed.

Such arbitrary file writes can potentially lead to system compromise, especially in automated environments or pipelines that process untrusted CramFS images, by overwriting critical files or placing malicious executables.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to extract a crafted CramFS image using the vulnerable cramfsck tool and observing if files are written outside the intended extraction directory due to path traversal in directory entry names.

A proof-of-concept involves creating a malicious CramFS image with directory entry names containing path traversal sequences such as "../pwn" and then extracting it with the command:

cramfsck -x <malicious_image>

If the extraction writes files outside the target directory (e.g., creates a file named "pwn" outside the extraction folder), the system is vulnerable.

Detection can also involve inspecting directory entry names in CramFS images for suspicious characters like slashes or double dots that indicate path traversal attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade cramfs-tools to version 2.2 or later, which includes a patch that rejects directory entry names containing path traversal characters such as slashes and dots.

This update adds validation in the extraction process to abort if directory entry names are ".", "..", or contain "/", preventing path traversal attacks.

Until the upgrade can be applied, avoid extracting untrusted or suspicious CramFS images using vulnerable versions of cramfsck.

Additionally, treat all directory entry names as untrusted input and consider implementing manual checks or sandboxed extraction environments to limit potential damage.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows local attackers to perform path traversal during extraction of CramFS filesystem images, potentially leading to unauthorized file creation or overwriting outside the intended directory.

Such unauthorized file writes could lead to system compromise or data integrity issues, which may impact compliance with standards and regulations that require protection of sensitive data and system integrity, such as GDPR and HIPAA.

However, the vulnerability is exploitable only from a local environment and requires crafted malicious images, which may limit the risk depending on the deployment context.

Upgrading to version 2.2 of cramfs-tools, which includes validation to prevent path traversal, is recommended to mitigate this risk and help maintain compliance with security requirements of common standards.

Useful 0 Not Useful 0