CVE-2026-8274
MEDIUMnpitre cramfs-tools Directory cramfsck.c do_directory path traversal
Title source: cnaDescription
A security vulnerability has been detected in npitre cramfs-tools up to 2.1. Affected is the function do_directory of the file cramfsck.c of the component Directory Handler. Such manipulation leads to path traversal. The attack can only be performed from a local environment. The exploit has been disclosed publicly and may be used. Upgrading to version 2.2 is able to address this issue. The name of the patch is 2fc492747115b24d8a07eddd27a2d45229cb273c. Upgrading the affected component is recommended.
References (8)
Core 8
Core References
Vdb Entry, Technical Description vdb-entry
technical-description
VDB-362571 | npitre cramfs-tools Directory cramfsck.c do_directory path traversal
https://vuldb.com/vuln/362571
Signature, Permissions Required signature
permissions-required
VDB-362571 | CTI Indicators (IOB, IOC, TTP, IOA)
https://vuldb.com/vuln/362571/cti
Third Party Advisory third-party-advisory
Submit #810864 | GNU cramfs-tools V2.1 Improper Limitation of a Pathname to a Restricted Directory
https://vuldb.com/submit/810864
Issue Tracking issue-tracking
https://github.com/npitre/cramfs-tools/issues/12
Exploit exploit
issue-tracking
https://github.com/npitre/cramfs-tools/issues/12#issue-4307511739
Product product
https://github.com/npitre/cramfs-tools/
Scores
CVSS v3
5.3
EPSS
0.0017
EPSS Percentile
7.0%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-22
Status
published
Products (3)
npitre/cramfs-tools
2.0
npitre/cramfs-tools
2.1
npitre/cramfs-tools
2.2
Published
May 11, 2026
Tracked Since
May 11, 2026