Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A vulnerability was detected in npitre cramfs-tools up to 2.2. Affected is the function change_file_status of the file cramfsck.c. Performing a manipulation results in symlink following. The attack requires a local approach. The exploit is now public and may be used. The patch is named b4a3a695c9873f824907bd15659f2a6ac7667b4f. It is recommended to apply a patch to fix this issue.
AnalysisAI
Symlink following in cramfs-tools 2.2 and earlier allows local privileged attackers to manipulate file ownership or timestamps on arbitrary filesystem locations during cramfs extraction. The vulnerability exists in the change_file_status function in cramfsck.c, which performs metadata operations (chown, chmod, utime) without validating that extracted paths are not symbolic links pointing outside the extraction directory. A publicly available exploit exists (GitHub issue #13), and the vendor has released patch commit b4a3a695c. EPSS data not available; not listed in CISA KEV. CVSS 4.2 reflects the local high-privilege requirement, though real-world risk depends heavily on whether cramfs extraction occurs in privileged contexts.
Technical ContextAI
cramfs-tools is a utility suite for creating and checking cramfs (Compressed ROM File System) filesystems, commonly used in embedded Linux systems. The vulnerability stems from CWE-61 (UNIX Symbolic Link Following), a classic TOCTOU (time-of-check-time-of-use) race condition class. The change_file_status function in cramfsck.c applies ownership and timestamp metadata to extracted files using lchown/chown/utime without first validating that the target path is not a symlink controlled by an attacker. When cramfsck extracts a malicious cramfs image containing crafted symlinks, it can be tricked into modifying metadata on arbitrary files the privileged user has access to. The patch (commit b4a3a695c) converts fatal die() calls to warn_error() for metadata operations and adds comments distinguishing corruption checks from best-effort metadata updates, suggesting the fix focuses on error handling rather than eliminating the symlink following itself. CPE 2.3:a:npitre:cramfs-tools:*:*:*:*:*:*:*:* indicates all versions through 2.2 are affected.
RemediationAI
Apply vendor patch commit b4a3a695c9873f824907bd15659f2a6ac7667b4f available at https://github.com/npitre/cramfs-tools/commit/b4a3a695c9873f824907bd15659f2a6ac7667b4f. Note that no tagged release version incorporating this fix has been independently confirmed from available data - users may need to build from the patched commit directly. Until patching, implement these compensating controls: (1) Never run cramfsck as root or with elevated privileges on untrusted cramfs images - extract as an unprivileged user in an isolated directory first, then inspect contents before applying with privileges. Trade-off: breaks workflows requiring privileged extraction for device/driver nodes. (2) Use mandatory access control (AppArmor/SELinux) to confine cramfsck processes, denying write access outside the intended extraction path. Trade-off: requires policy development and may break legitimate use cases. (3) Extract cramfs images inside ephemeral containers or VMs when processing untrusted sources. Trade-off: adds operational complexity. WARNING: Review the patch diff carefully - it converts fatal errors to warnings for metadata operations but does not add explicit symlink validation (O_NOFOLLOW, lstat checks). Confirm with vendor whether this fully addresses CWE-61 or if additional hardening is needed.
More in Cramfs Tools
View allSame weakness CWE-61 – UNIX Symbolic Link (Symlink) Following
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30728
GHSA-qv27-xjwp-hw6f