Executive Summary

CVE-2026-8784 is a vulnerability in the cramfsck utility of the cramfs-tools package. It occurs when extracting files using the -c (continue-on-error) and -x (extract) flags if the extraction directory already exists as a symbolic link (symlink). In this case, the mkdir() operation fails because the target is a symlink, but the extraction continues, causing files to be written through the symlink to an unintended location. This allows an attacker to redirect file writes outside the expected directory, potentially creating unauthorized files in attacker-controlled locations.

The root cause is improper handling of symlinks before file access, specifically failing to treat the failure to create the extraction directory as fatal when the path is a symlink rather than a real directory. The vulnerability is local and requires the attacker to provide a malicious repository with a symlinked output directory and a crafted CramFS image.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized file creation in locations outside the intended extraction directory. An attacker can exploit this to write files to arbitrary locations on the local system by manipulating symlinks and crafted CramFS images.

Such unauthorized file writes could overwrite or create sensitive files, potentially leading to privilege escalation, data corruption, or other security breaches depending on what files are targeted.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability occurs when using the cramfsck utility from the cramfs-tools package with the -c (continue-on-error) and -x (extract) flags, especially if the extraction directory already exists as a symlink.

To detect if your system is vulnerable, you can check for the presence of symlinked extraction directories and test extraction behavior with cramfsck.

A practical command to test the vulnerability is to create a symlink named 'out' pointing to another directory (e.g., 'outside'), then run:

• cramfsck -c -x out rootfs.cramfs

If files are created in the symlink target directory (e.g., 'outside/pwn.txt') instead of the intended extraction directory, the system is vulnerable.

Additionally, you can inspect the extraction root directory with lstat() to verify if it is a symlink rather than a real directory before extraction.

Useful 0 Not Useful 0

Mitigation Strategies

The recommended immediate mitigation is to apply the patch identified by commit b4a3a695c9873f824907bd15659f2a6ac7667b4f, which fixes the vulnerability in cramfsck.

This patch ensures that directory creation failures due to symlinks are treated as fatal errors, preventing unsafe extraction operations.

Until the patch is applied, avoid using cramfsck with the -c and -x flags on untrusted or potentially malicious CramFS images, especially if the extraction directory might be a symlink.

Also, validate extraction directories to ensure they are not symlinks before running extraction commands.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in cramfs-tools allows an attacker to manipulate symlinks during extraction, causing files to be written outside the intended directory. This unauthorized file creation could potentially lead to data leakage or unauthorized modification of sensitive files.

Such unauthorized file writes and potential data exposure could impact compliance with standards like GDPR or HIPAA, which require protection of sensitive data and prevention of unauthorized access or modification.

However, the vulnerability requires local access and a crafted malicious repository, limiting the attack surface.

Applying the recommended patch mitigates the risk by ensuring extraction failures due to symlinks are treated as fatal errors, preventing unsafe file writes.

Useful 0 Not Useful 0