Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
4DescriptionCVE.org
FastNetMon Community Edition through 1.2.9 is vulnerable to a local symlink attack via predictable file paths in /tmp. The statistics file path defaults to '/tmp/fastnetmon.dat' (src/fastnetmon.cpp line 159). The print_screen_contents_into_file() function (src/fastnetmon_logic.cpp line 2186) opens this path with std::ios::trunc without checking for symlinks or using O_NOFOLLOW. Additionally, the chmod() call on line 2190 always operates on cli_stats_file_path regardless of which file_path parameter was passed (a bug that applies wrong permissions), and the umask is set to 0 during daemonization (src/fastnetmon.cpp line 1821), making all created files world-writable. A local attacker can exploit this to overwrite arbitrary files as the FastNetMon process user (typically root).
AnalysisAI
Local symlink exploitation in FastNetMon Community Edition through 1.2.9 allows a low-privileged local attacker to overwrite arbitrary files as the process user, which is typically root. The statistics output path is hardcoded to the predictable world-accessible location /tmp/fastnetmon.dat, written via std::ios::trunc without O_NOFOLLOW or symlink validation, and the daemon sets umask to 0 at startup making all created files world-writable. A secondary chmod() bug further misapplies permissions to the wrong path. No public exploit has been identified at time of analysis and EPSS sits at the 4th percentile, but the typical root execution context makes this a reliable local privilege escalation primitive despite the moderate CVSS score.
Technical ContextAI
FastNetMon Community Edition is an open-source high-performance DDoS detection daemon. The vulnerability is rooted in CWE-59 (Improper Link Resolution Before File Access). Three compounding implementation defects exist in the source: (1) src/fastnetmon.cpp line 159 hardcodes the statistics file path to /tmp/fastnetmon.dat - a predictable, world-accessible location; (2) the print_screen_contents_into_file() function in src/fastnetmon_logic.cpp line 2186 opens that path using std::ios::trunc without the O_NOFOLLOW or O_EXCL flags, meaning the C++ standard library will silently follow an attacker-placed symlink and truncate whatever the symlink targets; (3) during daemonization at src/fastnetmon.cpp line 1821 the process calls umask(0), causing every subsequently created file to receive permissions 0666 or 0777 - fully world-writable. A separate code bug at line 2190 applies chmod() to cli_stats_file_path regardless of the file_path parameter actually passed, meaning the wrong file can receive altered permissions. The CPE string provided by NVD (cpe:2.3:a:n/a:n/a:*:*:*:*:*:*:*:*) is generic and of limited use for automated asset scanning.
RemediationAI
No vendor-released patched version has been independently confirmed from the available data - the upstream GitHub repository at https://github.com/pavel-odintsov/fastnetmon and the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-48693 should be monitored for an official fix release. Until a patch is available, apply the following specific compensating controls: First, run FastNetMon under a dedicated low-privilege service account rather than root using systemd's User= and Group= directives - this is the highest-impact mitigation as it constrains the blast radius of a successful symlink attack to files owned by that account rather than the entire system; note this may require adjusting network capture permissions (e.g., CAP_NET_RAW capability). Second, pre-create /tmp/fastnetmon.dat as a regular file owned by the FastNetMon service account before daemon startup (e.g., via a systemd ExecStartPre= step) - an existing file owned by the process user prevents an attacker from replacing it with a symlink, though this mitigation must survive reboots via tmpfiles.d configuration. Third, consider mounting /tmp as a private tmpfs namespace for the FastNetMon service via systemd's PrivateTmp=true directive, which isolates the daemon's /tmp view entirely and eliminates the shared /tmp attack surface with no significant side effects for this workload.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali
Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_
Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce
Same weakness CWE-59 – Improper Link Resolution Before File Access
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31899
GHSA-f762-5mrw-32x8