Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
A security vulnerability has been detected in npitre cramfs-tools up to 2.1. Affected is the function do_directory of the file cramfsck.c of the component Directory Handler. Such manipulation leads to path traversal. The attack can only be performed from a local environment. The exploit has been disclosed publicly and may be used. Upgrading to version 2.2 is able to address this issue. The name of the patch is 2fc492747115b24d8a07eddd27a2d45229cb273c. Upgrading the affected component is recommended.
AnalysisAI
Path traversal vulnerability in cramfs-tools up to version 2.1 allows local authenticated users to escape directory restrictions via malformed filenames in the Directory Handler component (do_directory function in cramfsck.c). Publicly available exploit code exists. CVSS score of 1.9 reflects low confidentiality, integrity, and availability impact combined with local-only attack vector and required low privilege level; however, the vulnerability enables directory traversal that could facilitate unauthorized file access or modification on systems where cramfs-tools processes untrusted filesystem images.
Technical ContextAI
cramfs-tools is a utility for creating and checking CramFS (Compressed ROM FileSystem) images, commonly used in embedded Linux systems. The vulnerability resides in the do_directory function of cramfsck.c, which processes directory entries when validating or extracting CramFS filesystem structures. The root cause is improper input validation of filenames within archive entries - specifically, the function fails to sanitize filenames containing path traversal sequences (e.g., '..', absolute paths, or embedded slashes) before constructing output paths. This is a classic CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) issue where untrusted filenames from an archive are concatenated into file system paths without canonicalization or validation. The vulnerability manifests when processing a specially crafted CramFS image containing malicious directory entries.
RemediationAI
Upgrade cramfs-tools to version 2.2 or later immediately. The vendor-released patch is available at https://github.com/npitre/cramfs-tools/releases/tag/v2.2 and was committed via patch identifier 2fc492747115b24d8a07eddd27a2d45229cb273c. The fix adds strict filename validation in the do_directory function, rejecting entries with names containing '.' or '..' components and embedded forward slashes. If immediate upgrade is not feasible, restrict execution of cramfs-tools to trusted administrators only and limit the tool's ability to write to sensitive filesystem locations via OS-level controls (e.g., SELinux, AppArmor, or chroot jails). Avoid processing CramFS images from untrusted sources (third-party firmware, unverified downloads, or adversary-controlled uploads) until patching is complete. Note that restricting tool privileges may break legitimate workflows; upgrade should be prioritized over compensating controls.
More in Cramfs Tools
View allSame weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29032
GHSA-2x6r-r8j5-prxm