Skip to main content

FastNetMon CVE-2026-48693

| EUVDEUVD-2026-31899 MEDIUM
Improper Link Resolution Before File Access (CWE-59)
2026-05-26 mitre GHSA-f762-5mrw-32x8
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jun 08, 2026 - 11:11 vuln.today
CVSS changed
May 26, 2026 - 21:22 NVD
5.5 (MEDIUM)
CVE Published
May 26, 2026 - 00:00 nvd
UNKNOWN (no severity yet)
CVE Published
May 26, 2026 - 00:00 nvd
MEDIUM 5.5

DescriptionCVE.org

FastNetMon Community Edition through 1.2.9 is vulnerable to a local symlink attack via predictable file paths in /tmp. The statistics file path defaults to '/tmp/fastnetmon.dat' (src/fastnetmon.cpp line 159). The print_screen_contents_into_file() function (src/fastnetmon_logic.cpp line 2186) opens this path with std::ios::trunc without checking for symlinks or using O_NOFOLLOW. Additionally, the chmod() call on line 2190 always operates on cli_stats_file_path regardless of which file_path parameter was passed (a bug that applies wrong permissions), and the umask is set to 0 during daemonization (src/fastnetmon.cpp line 1821), making all created files world-writable. A local attacker can exploit this to overwrite arbitrary files as the FastNetMon process user (typically root).

AnalysisAI

Local symlink exploitation in FastNetMon Community Edition through 1.2.9 allows a low-privileged local attacker to overwrite arbitrary files as the process user, which is typically root. The statistics output path is hardcoded to the predictable world-accessible location /tmp/fastnetmon.dat, written via std::ios::trunc without O_NOFOLLOW or symlink validation, and the daemon sets umask to 0 at startup making all created files world-writable. A secondary chmod() bug further misapplies permissions to the wrong path. No public exploit has been identified at time of analysis and EPSS sits at the 4th percentile, but the typical root execution context makes this a reliable local privilege escalation primitive despite the moderate CVSS score.

Technical ContextAI

FastNetMon Community Edition is an open-source high-performance DDoS detection daemon. The vulnerability is rooted in CWE-59 (Improper Link Resolution Before File Access). Three compounding implementation defects exist in the source: (1) src/fastnetmon.cpp line 159 hardcodes the statistics file path to /tmp/fastnetmon.dat - a predictable, world-accessible location; (2) the print_screen_contents_into_file() function in src/fastnetmon_logic.cpp line 2186 opens that path using std::ios::trunc without the O_NOFOLLOW or O_EXCL flags, meaning the C++ standard library will silently follow an attacker-placed symlink and truncate whatever the symlink targets; (3) during daemonization at src/fastnetmon.cpp line 1821 the process calls umask(0), causing every subsequently created file to receive permissions 0666 or 0777 - fully world-writable. A separate code bug at line 2190 applies chmod() to cli_stats_file_path regardless of the file_path parameter actually passed, meaning the wrong file can receive altered permissions. The CPE string provided by NVD (cpe:2.3:a:n/a:n/a:*:*:*:*:*:*:*:*) is generic and of limited use for automated asset scanning.

RemediationAI

No vendor-released patched version has been independently confirmed from the available data - the upstream GitHub repository at https://github.com/pavel-odintsov/fastnetmon and the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-48693 should be monitored for an official fix release. Until a patch is available, apply the following specific compensating controls: First, run FastNetMon under a dedicated low-privilege service account rather than root using systemd's User= and Group= directives - this is the highest-impact mitigation as it constrains the blast radius of a successful symlink attack to files owned by that account rather than the entire system; note this may require adjusting network capture permissions (e.g., CAP_NET_RAW capability). Second, pre-create /tmp/fastnetmon.dat as a regular file owned by the FastNetMon service account before daemon startup (e.g., via a systemd ExecStartPre= step) - an existing file owned by the process user prevents an attacker from replacing it with a symlink, though this mitigation must survive reboots via tmpfiles.d configuration. Third, consider mounting /tmp as a private tmpfs namespace for the FastNetMon service via systemd's PrivateTmp=true directive, which isolates the daemon's /tmp view entirely and eliminates the shared /tmp attack surface with no significant side effects for this workload.

More in N A

View all
CVE-2026-31072 CRITICAL POC
9.8 May 19

Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali

CVE-2026-36356 CRITICAL POC
9.1 May 05

Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST

CVE-2026-31071 CRITICAL POC
9.1 May 19

Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al

CVE-2025-66391 HIGH POC
8.8 Jun 17

In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o

CVE-2026-26740 HIGH POC
8.2 Mar 18

Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when

CVE-2025-60464 HIGH POC
7.8 Jun 25

Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_

CVE-2026-36355 HIGH POC
7.7 May 05

Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc

CVE-2025-60474 HIGH POC
7.5 Jun 24

Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s

CVE-2026-38639 HIGH POC
7.5 Jun 26

An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S

CVE-2026-38641 HIGH POC
7.5 Jun 26

Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge

CVE-2026-38637 HIGH POC
7.5 Jun 25

An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S

CVE-2026-38640 HIGH POC
7.5 Jun 25

Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce

Share

CVE-2026-48693 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy