CVE-2026-8274 Overview
CVE-2026-8274 is a path traversal vulnerability [CWE-22] in npitre cramfs-tools versions up to 2.1. The flaw resides in the do_directory function of cramfsck.c within the Directory Handler component. A crafted cramfs image can contain directory entries with names that include path separators or traversal sequences such as .., causing the file system checker to write files outside the intended extraction directory. Exploitation requires local access and limited privileges, and a public disclosure exists. The maintainer fixed the issue in version 2.2 via commit 2fc492747115b24d8a07eddd27a2d45229cb273c.
Critical Impact
A malicious cramfs image processed by cramfsck can write or overwrite files outside the target directory through directory entry names containing /, ., or .. components.
Affected Products
- npitre cramfs-tools versions up to and including 2.1
- cramfsck utility (Directory Handler / do_directory function)
- Downstream tooling and build environments bundling vulnerable cramfs-tools releases
Discovery Timeline
- 2026-05-11 - CVE-2026-8274 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-8274
Vulnerability Analysis
The vulnerability exists in cramfsck.c, the source of the cramfs file system checker. When do_directory iterates over directory entries inside a cramfs image, it concatenates each entry's name onto the current extraction path without validating the name itself. An attacker who supplies a crafted image can embed directory entry names that contain forward slashes or ./.. components. When cramfsck extracts the image, those names are treated as additional path segments, allowing files to be created outside the intended output directory.
The issue is classified as path traversal [CWE-22]. The attack vector is local because the attacker must convince a user or process to run cramfsck against the malicious image. The impact is bounded by the privileges of the process invoking cramfsck, but in build pipelines or rootfs preparation workflows this can include privileged accounts.
Root Cause
The root cause is missing input validation on filenames read from the cramfs directory structure. The original do_directory implementation enforced only a length check and trusted the on-disk filename. There was no rejection of /, ., or .. components, so attacker-controlled bytes in the image were passed directly into expand_fs and the subsequent file creation calls.
Attack Vector
An attacker crafts a cramfs image whose directory entries contain malicious names such as ../../etc/cron.d/payload. The attacker then delivers this image to a target that runs cramfsck for verification or extraction, for example as part of firmware unpacking, CI workflows, or filesystem inspection tooling. When the checker processes the image, files are written along the traversed path, enabling arbitrary file write within the privileges of the invoking process.
// Patch from cramfsck.c - validates dirent names before extraction
if ((pathlen + newlen) - strlen(newpath) > 3) {
die(FSCK_UNCORRECTED, 0, "bad filename length");
}
+ {
+ const char *name = newpath + pathlen;
+ if (strcmp(name, ".") == 0 || strcmp(name, "..") == 0 ||
+ strchr(name, '/') != NULL) {
+ die(FSCK_UNCORRECTED, 0, "bad filename: %s", name);
+ }
+ }
expand_fs(newpath, child);
offset += newlen;
Source: GitHub Commit 2fc4927. The patch rejects any directory entry whose name equals ., .., or contains a / separator.
Detection Methods for CVE-2026-8274
Indicators of Compromise
- Files created by cramfsck outside the intended extraction directory, particularly under system paths such as /etc, /usr, or /root.
- cramfsck process invocations referencing untrusted .cramfs images received from external sources.
- Audit log entries showing cramfsck opening or writing files whose paths contain unexpected parent-directory traversals.
Detection Strategies
- Inspect cramfs images with a hardened parser and flag any directory entry whose name contains /, ., or .. components.
- Hash the installed cramfs-tools binaries and compare against version 2.2 release artifacts from the upstream GitHub Release v2.2.
- Add file integrity monitoring on directories adjacent to those used for cramfs extraction so unexpected writes outside the target path generate alerts.
Monitoring Recommendations
- Log all cramfsck executions in build, CI, and firmware-handling environments, including the image path and invoking user.
- Monitor execve events for cramfsck followed by file writes outside the working directory using Linux auditd or eBPF.
- Track ingestion of cramfs images from external suppliers and require provenance checks before processing.
How to Mitigate CVE-2026-8274
Immediate Actions Required
- Upgrade cramfs-tools to version 2.2, which contains commit 2fc492747115b24d8a07eddd27a2d45229cb273c.
- Audit build systems, firmware extraction pipelines, and developer workstations for older cramfsck binaries and replace them.
- Restrict execution of cramfsck against untrusted images to non-privileged, sandboxed accounts.
Patch Information
The fix is included in GitHub Release v2.2. The relevant change is GitHub Commit 2fc4927, which validates directory entry names in do_directory and aborts on any name equal to ., .., or containing /. Additional context is available in GitHub Issue #12 and VulDB #362571.
Workarounds
- Avoid running cramfsck against cramfs images sourced from untrusted parties until the upgrade to 2.2 is complete.
- Execute cramfsck inside a chroot, container, or unprivileged user namespace so any traversal write is contained.
- Pre-screen cramfs images with a custom parser that rejects directory entries containing path separators or dot components.
# Build and install the patched cramfs-tools (v2.2)
git clone https://github.com/npitre/cramfs-tools.git
cd cramfs-tools
git checkout v2.2
make
sudo install -m 0755 cramfsck /usr/local/bin/cramfsck
cramfsck -v /path/to/image.cramfs
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
