Skip to main content

cramfs-tools CVE-2026-8274

| EUVDEUVD-2026-29032 LOW
Path Traversal (CWE-22)
2026-05-11 VulDB GHSA-2x6r-r8j5-prxm
1.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.9 LOW
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Source Code Evidence Fetched
May 11, 2026 - 05:30 vuln.today
Analysis Generated
May 11, 2026 - 05:30 vuln.today
Severity Changed
May 11, 2026 - 05:22 NVD
MEDIUM LOW
CVSS changed
May 11, 2026 - 05:22 NVD
5.3 (MEDIUM) 1.9 (LOW)
CVE Published
May 11, 2026 - 04:45 nvd
LOW 1.9

DescriptionCVE.org

A security vulnerability has been detected in npitre cramfs-tools up to 2.1. Affected is the function do_directory of the file cramfsck.c of the component Directory Handler. Such manipulation leads to path traversal. The attack can only be performed from a local environment. The exploit has been disclosed publicly and may be used. Upgrading to version 2.2 is able to address this issue. The name of the patch is 2fc492747115b24d8a07eddd27a2d45229cb273c. Upgrading the affected component is recommended.

AnalysisAI

Path traversal vulnerability in cramfs-tools up to version 2.1 allows local authenticated users to escape directory restrictions via malformed filenames in the Directory Handler component (do_directory function in cramfsck.c). Publicly available exploit code exists. CVSS score of 1.9 reflects low confidentiality, integrity, and availability impact combined with local-only attack vector and required low privilege level; however, the vulnerability enables directory traversal that could facilitate unauthorized file access or modification on systems where cramfs-tools processes untrusted filesystem images.

Technical ContextAI

cramfs-tools is a utility for creating and checking CramFS (Compressed ROM FileSystem) images, commonly used in embedded Linux systems. The vulnerability resides in the do_directory function of cramfsck.c, which processes directory entries when validating or extracting CramFS filesystem structures. The root cause is improper input validation of filenames within archive entries - specifically, the function fails to sanitize filenames containing path traversal sequences (e.g., '..', absolute paths, or embedded slashes) before constructing output paths. This is a classic CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) issue where untrusted filenames from an archive are concatenated into file system paths without canonicalization or validation. The vulnerability manifests when processing a specially crafted CramFS image containing malicious directory entries.

RemediationAI

Upgrade cramfs-tools to version 2.2 or later immediately. The vendor-released patch is available at https://github.com/npitre/cramfs-tools/releases/tag/v2.2 and was committed via patch identifier 2fc492747115b24d8a07eddd27a2d45229cb273c. The fix adds strict filename validation in the do_directory function, rejecting entries with names containing '.' or '..' components and embedded forward slashes. If immediate upgrade is not feasible, restrict execution of cramfs-tools to trusted administrators only and limit the tool's ability to write to sensitive filesystem locations via OS-level controls (e.g., SELinux, AppArmor, or chroot jails). Avoid processing CramFS images from untrusted sources (third-party firmware, unverified downloads, or adversary-controlled uploads) until patching is complete. Note that restricting tool privileges may break legitimate workflows; upgrade should be prioritized over compensating controls.

Share

CVE-2026-8274 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy