CVE-2026-8784
Symlink Following in cramfs-tools
Publication date: 2026-05-18
Last updated on: 2026-05-18
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| npitre | cramfs-tools | to 2.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-59 | The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. |
| CWE-61 | The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in cramfs-tools allows an attacker to manipulate symlinks during extraction, causing files to be written outside the intended directory. This unauthorized file creation could potentially lead to data leakage or unauthorized modification of sensitive files.
Such unauthorized file writes and potential data exposure could impact compliance with standards like GDPR or HIPAA, which require protection of sensitive data and prevention of unauthorized access or modification.
However, the vulnerability requires local access and a crafted malicious repository, limiting the attack surface.
Applying the recommended patch mitigates the risk by ensuring extraction failures due to symlinks are treated as fatal errors, preventing unsafe file writes.
Can you explain this vulnerability to me?
CVE-2026-8784 is a vulnerability in the cramfsck utility of the cramfs-tools package. It occurs when extracting files using the -c (continue-on-error) and -x (extract) flags if the extraction directory already exists as a symbolic link (symlink). In this case, the mkdir() operation fails because the target is a symlink, but the extraction continues, causing files to be written through the symlink to an unintended location. This allows an attacker to redirect file writes outside the expected directory, potentially creating unauthorized files in attacker-controlled locations.
The root cause is improper handling of symlinks before file access, specifically failing to treat the failure to create the extraction directory as fatal when the path is a symlink rather than a real directory. The vulnerability is local and requires the attacker to provide a malicious repository with a symlinked output directory and a crafted CramFS image.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized file creation in locations outside the intended extraction directory. An attacker can exploit this to write files to arbitrary locations on the local system by manipulating symlinks and crafted CramFS images.
Such unauthorized file writes could overwrite or create sensitive files, potentially leading to privilege escalation, data corruption, or other security breaches depending on what files are targeted.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs when using the cramfsck utility from the cramfs-tools package with the -c (continue-on-error) and -x (extract) flags, especially if the extraction directory already exists as a symlink.
To detect if your system is vulnerable, you can check for the presence of symlinked extraction directories and test extraction behavior with cramfsck.
A practical command to test the vulnerability is to create a symlink named 'out' pointing to another directory (e.g., 'outside'), then run:
- cramfsck -c -x out rootfs.cramfs
If files are created in the symlink target directory (e.g., 'outside/pwn.txt') instead of the intended extraction directory, the system is vulnerable.
Additionally, you can inspect the extraction root directory with lstat() to verify if it is a symlink rather than a real directory before extraction.
What immediate steps should I take to mitigate this vulnerability?
The recommended immediate mitigation is to apply the patch identified by commit b4a3a695c9873f824907bd15659f2a6ac7667b4f, which fixes the vulnerability in cramfsck.
This patch ensures that directory creation failures due to symlinks are treated as fatal errors, preventing unsafe extraction operations.
Until the patch is applied, avoid using cramfsck with the -c and -x flags on untrusted or potentially malicious CramFS images, especially if the extraction directory might be a symlink.
Also, validate extraction directories to ensure they are not symlinks before running extraction commands.