CVE-2026-8784 Overview
CVE-2026-8784 is a symlink following vulnerability [CWE-59] in npitre cramfs-tools versions up to 2.2. The flaw resides in the change_file_status function within cramfsck.c. An attacker with local access and high privileges can manipulate filesystem symbolic links to redirect file status operations to unintended targets. A public exploit has been disclosed, and a patch identified as commit b4a3a695c9873f824907bd15659f2a6ac7667b4f is available in the upstream repository.
Critical Impact
Successful exploitation enables a local actor to alter file ownership or permissions on files outside the intended target through symlink redirection, undermining filesystem integrity controls.
Affected Products
- npitre cramfs-tools versions up to and including 2.2
- cramfsck utility shipped with affected cramfs-tools releases
- Downstream Linux distributions packaging vulnerable cramfs-tools builds
Discovery Timeline
- 2026-05-18 - CVE-2026-8784 published to NVD
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2026-8784
Vulnerability Analysis
The vulnerability is classified under [CWE-59] Improper Link Resolution Before File Access, commonly referred to as a symlink following issue. The change_file_status function in cramfsck.c operates on file paths without verifying whether the target is a symbolic link before applying status changes. When cramfsck is invoked in repair or check mode against an attacker-influenced directory, the utility follows planted symlinks and applies operations to files outside the intended scope.
The attack requires local access and elevated privileges, since cramfsck is typically run by administrators or build pipelines. Public exploit details are referenced in the GitHub Issue Tracker and the VulDB Vulnerability Details entry. The EPSS probability is 0.016%, reflecting limited observed exploitation activity.
Root Cause
The root cause is the absence of link checks in change_file_status before performing privileged file operations. The function does not use lstat semantics or O_NOFOLLOW style protections, allowing symbolic links present in the working tree to redirect operations to arbitrary filesystem paths reachable by the invoking user.
Attack Vector
An attacker with local access stages a crafted directory tree or cramfs image containing symbolic links pointing to sensitive files. When a privileged user runs cramfsck against the staged content, the utility follows the symlinks and modifies the status of the linked targets rather than the in-tree files. The published patch removes the unsafe flow by reworking error and exit handling around the affected code path.
// Patch excerpt from cramfsck.c
// Source: https://github.com/npitre/cramfs-tools/commit/b4a3a695c9873f824907bd15659f2a6ac7667b4f
exit(status);
}
-static void die(int status, int syserr, const char *fmt, ...)
+static void print_error(int saved_errno, int syserr, const char *fmt, va_list arg_ptr)
{
- va_list arg_ptr;
- int save = errno;
-
fflush(0);
- va_start(arg_ptr, fmt);
fprintf(stderr, "%s: ", progname);
vfprintf(stderr, fmt, arg_ptr);
if (syserr) {
- fprintf(stderr, ": %s", strerror(save));
+ fprintf(stderr, ": %s", strerror(saved_errno));
}
fprintf(stderr, "\n");
+}
+
+static void __attribute__((noreturn)) die(int status, int syserr, const char *fmt, ...)
+{
+ int save = errno;
+ va_list arg_ptr;
+
+ va_start(arg_ptr, fmt);
+ print_error(save, syserr, fmt, arg_ptr);
+ va_end(arg_ptr);
+ exit(status);
+}
This patch ensures die() actually terminates execution by marking it noreturn and centralizing error printing in print_error(). Without a real termination, downstream code paths including change_file_status could continue executing on attacker-controlled paths after error conditions.
Detection Methods for CVE-2026-8784
Indicators of Compromise
- Unexpected ownership or permission changes on files outside the directory targeted by cramfsck invocations.
- Presence of symbolic links inside cramfs working directories that resolve to system paths such as /etc, /root, or /var.
- Audit log entries showing cramfsck executions immediately preceding privileged file metadata changes.
Detection Strategies
- Inventory hosts running cramfs-tools package versions at or below 2.2 using package management queries such as dpkg -l cramfs-tools or rpm -q cramfs-tools.
- Hash the installed cramfsck binary and compare against builds derived from the patched commit b4a3a695c9873f824907bd15659f2a6ac7667b4f.
- Review build pipelines and embedded Linux image workflows that invoke cramfsck against untrusted filesystem images.
Monitoring Recommendations
- Enable Linux audit rules on chown, chmod, and fchownat syscalls executed by cramfsck to flag changes that traverse symlinks.
- Monitor for cramfsck execution as root or via build automation accounts and correlate with subsequent filesystem metadata changes.
- Track package update events to confirm patched cramfs-tools versions propagate across the fleet.
How to Mitigate CVE-2026-8784
Immediate Actions Required
- Apply the upstream patch by rebuilding cramfs-tools from commit b4a3a695c9873f824907bd15659f2a6ac7667b4f or installing a distribution package that incorporates it.
- Restrict cramfsck execution to trusted operators and avoid running it against directories or images sourced from untrusted users.
- Audit existing automation that processes cramfs images for symlink contents before invoking repair operations.
Patch Information
The fix is published in the upstream repository at GitHub Commit Details. Discussion and reproduction details are tracked in GitHub Issue Tracker. Downstream maintainers should pull the patched source and rebuild affected packages.
Workarounds
- Run cramfsck only inside ephemeral, isolated containers or chroots that do not expose sensitive host paths.
- Pre-scan target directories for symbolic links with find <path> -type l and remove or reject untrusted links before invoking the tool.
- Drop privileges where possible by executing cramfsck under a dedicated unprivileged service account.
# Verify installed cramfs-tools version and scan target trees for symlinks
cramfsck -V
find /path/to/cramfs/work -xdev -type l -print
# Reject the workload if symlinks reference paths outside the working tree
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
