CVE-2026-8784

MEDIUM

npitre cramfs-tools cramfsck.c change_file_status symlink

Title source: cna

Description

A vulnerability was detected in npitre cramfs-tools up to 2.2. Affected is the function change_file_status of the file cramfsck.c. Performing a manipulation results in symlink following. The attack requires a local approach. The exploit is now public and may be used. The patch is named b4a3a695c9873f824907bd15659f2a6ac7667b4f. It is recommended to apply a patch to fix this issue.

References (7)

Core 7

Core References

Vdb Entry, Technical Description vdb-entry technical-description

VDB-364408 | npitre cramfs-tools cramfsck.c change_file_status symlink

https://vuldb.com/vuln/364408

Signature, Permissions Required signature permissions-required

VDB-364408 | CTI Indicators (IOB, IOC, IOA)

https://vuldb.com/vuln/364408/cti

Third Party Advisory third-party-advisory

Submit #811897 | GNU cramfs-tools below v2.2 Symlink Following

https://vuldb.com/submit/811897

Exploit exploit issue-tracking

https://github.com/npitre/cramfs-tools/issues/13

Patch patch

https://github.com/npitre/cramfs-tools/commit/b4a3a695c9873f824907bd15659f2a6ac7667b4f

View Patch ZIP pw:eip

Issue Tracking issue-tracking

https://github.com/npitre/cramfs-tools/issues/13#issuecomment-4306102583

Product product

https://github.com/npitre/cramfs-tools/

Scores

CVSS v3 4.2

EPSS 0.0002

EPSS Percentile 6.2%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-59 CWE-61

Status published

Products (3)

npitre/cramfs-tools 2.0

npitre/cramfs-tools 2.1

npitre/cramfs-tools 2.2

Published May 18, 2026

Tracked Since May 18, 2026