CVE-2026-8274
Description
A security vulnerability has been detected in npitre cramfs-tools up to 2.1. Affected is the function do_directory of the file cramfsck.c of the component Directory Handler. Such manipulation leads to path traversal. The attack can only be performed from a local environment. The exploit has been disclosed publicly and may be used. Upgrading to version 2.2 is able to address this issue. The name of the patch is 2fc492747115b24d8a07eddd27a2d45229cb273c. Upgrading the affected component is recommended.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
cramfs-tools 2.1 and earlier suffer from a path traversal in cramfsck.c do_directory, allowing local attackers to write files outside the extraction directory via crafted directory entry names.
Vulnerability
Overview A path traversal vulnerability exists in npitre cramfs-tools up to version 2.1, specifically in the do_directory function of cramfsck.c. The root cause is that the extraction utility directly appends raw on-disk directory entry names to the extraction directory path without validating whether those names contain path separators (/) or traversal sequences (..). As a result, a specially crafted cramfs image can embed a directory entry name such as ../pwn, which when concatenated yields a path outside the intended destination directory. The code in question copies the current host path prefix into newpath, then appends raw child name bytes without sanitization, and passes the resulting host path to subsequent file operations [2].
Exploitation
Requirements The attack requires only local access to the machine where cramfsck -x is used to extract a cramfs image. No special privileges are needed; any user who can supply a crafted cramfs image—for example, through a file download, attachment, or within a firmware-analysis pipeline—can trigger the vulnerability. The function expand_fs is called recursively on the constructed path, and regular files are subsequently opened with open(path, O_WRONLY | O_CREAT | O_TRUNC, ...), allowing an attacker to direct control over the destination of extracted files [2][3].
Impact
Assessment Successful exploitation permits an attacker to create or overwrite arbitrary files on the host filesystem relative to the extraction root. This could be used to plant files adjacent to the extraction directory, overwrite configuration or application files that are reachable through directory traversal, or abuse automated filesystem-unpack utilities that trust the contents of cramfs images. The impact is limited to local file system manipulation; remote exploitation is not possible unless combined with another vector to deliver the malicious image [2][3].
Mitigation
The vulnerability is addressed in cramfs-tools version 2.2. The patch (commit 2fc492747115b24d8a07eddd27a2d45229cb273c) introduces validation that rejects directory entry names containing /, ., or .. during extraction. Additionally, regular files are opened with O_CREAT | O_EXCL to prevent duplicate-entry attacks. Users are strongly advised to upgrade to version 2.2 or apply the corresponding patch. No workaround is specified; however, exercising caution with untrusted cramfs images is recommended until the affected component can be updated [1][4].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <=2.1
Patches
12fc492747115cramfsck: reject dirent names containing path separators or traversal components
1 file changed · +7 −0
cramfsck.c+7 −0 modified@@ -567,6 +567,13 @@ static void do_directory(char *path, struct cramfs_inode *i) if ((pathlen + newlen) - strlen(newpath) > 3) { die(FSCK_UNCORRECTED, 0, "bad filename length"); } + { + const char *name = newpath + pathlen; + if (strcmp(name, ".") == 0 || strcmp(name, "..") == 0 || + strchr(name, '/') != NULL) { + die(FSCK_UNCORRECTED, 0, "bad filename: %s", name); + } + } expand_fs(newpath, child); offset += newlen;
Vulnerability mechanics
Root cause
"Missing validation of directory entry names allows path traversal components like ".." or "/" to be concatenated into the extraction path."
Attack vector
An attacker with local access crafts a malicious cramfs filesystem image containing directory entries with names such as "../pwn". When a victim runs `cramfsck -x` to extract the image, the unsanitized entry name is concatenated directly into the extraction path, causing files to be written outside the intended destination root directory. The attack requires the victim to extract a specially crafted cramfs image using the `-x` flag, and the attacker must be able to supply that image to the victim (e.g., via download or removable media). [CWE-22]
Affected code
The vulnerable function is `do_directory()` in `cramfsck.c`. The function concatenates directory entry names directly into the extraction path without validating whether the name contains path traversal components ("..") or path separators ("/"). The adjacent code already performs a filename length check, but no content validation existed prior to the patch. [patch_id=424664]
What the fix does
The patch adds a validation block inside `do_directory()` in `cramfsck.c` that checks each directory entry name after it is parsed. If the name equals "." or "..", or contains a "/" character, the function immediately calls `die(FSCK_UNCORRECTED, ...)` and aborts extraction. This closes the path traversal by rejecting traversal components and path separators before they can be concatenated into the output path. [patch_id=424664]
Preconditions
- inputAttacker must supply a crafted cramfs image with malicious directory entry names (e.g., containing '..' or '/')
- authAttacker must have local access to the system to deliver the crafted image
- configVictim must run cramfsck with the -x (extract) flag on the malicious image
Generated by deepseek/deepseek-v4-flash-20260423 on May 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7News mentions
0No linked articles in our index yet.