Cramfs Tools
Monthly
Symlink following in cramfs-tools 2.2 and earlier allows local privileged attackers to manipulate file ownership or timestamps on arbitrary filesystem locations during cramfs extraction. The vulnerability exists in the change_file_status function in cramfsck.c, which performs metadata operations (chown, chmod, utime) without validating that extracted paths are not symbolic links pointing outside the extraction directory. A publicly available exploit exists (GitHub issue #13), and the vendor has released patch commit b4a3a695c. EPSS data not available; not listed in CISA KEV. CVSS 4.2 reflects the local high-privilege requirement, though real-world risk depends heavily on whether cramfs extraction occurs in privileged contexts.
Path traversal vulnerability in cramfs-tools up to version 2.1 allows local authenticated users to escape directory restrictions via malformed filenames in the Directory Handler component (do_directory function in cramfsck.c). Publicly available exploit code exists. CVSS score of 1.9 reflects low confidentiality, integrity, and availability impact combined with local-only attack vector and required low privilege level; however, the vulnerability enables directory traversal that could facilitate unauthorized file access or modification on systems where cramfs-tools processes untrusted filesystem images.
Symlink following in cramfs-tools 2.2 and earlier allows local privileged attackers to manipulate file ownership or timestamps on arbitrary filesystem locations during cramfs extraction. The vulnerability exists in the change_file_status function in cramfsck.c, which performs metadata operations (chown, chmod, utime) without validating that extracted paths are not symbolic links pointing outside the extraction directory. A publicly available exploit exists (GitHub issue #13), and the vendor has released patch commit b4a3a695c. EPSS data not available; not listed in CISA KEV. CVSS 4.2 reflects the local high-privilege requirement, though real-world risk depends heavily on whether cramfs extraction occurs in privileged contexts.
Path traversal vulnerability in cramfs-tools up to version 2.1 allows local authenticated users to escape directory restrictions via malformed filenames in the Directory Handler component (do_directory function in cramfsck.c). Publicly available exploit code exists. CVSS score of 1.9 reflects low confidentiality, integrity, and availability impact combined with local-only attack vector and required low privilege level; however, the vulnerability enables directory traversal that could facilitate unauthorized file access or modification on systems where cramfs-tools processes untrusted filesystem images.