2481556 – (CVE-2026-48693) CVE-2026-48693 fastnetmon: local symlink attack via predictable file paths in /tmp

Bug 2481556 (CVE-2026-48693) - CVE-2026-48693 fastnetmon: local symlink attack via predictable file paths in /tmp

Summary: CVE-2026-48693 fastnetmon: local symlink attack via predictable file paths in...

Keywords:
Status:	NEW
Alias:	CVE-2026-48693
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2482721 2482722
Blocks:
TreeView+	depends on / blocked

Reported:	2026-05-26 17:03 UTC by OSIDB Bzimport
Modified:	2026-05-28 15:42 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-05-26 17:03:54 UTC

FastNetMon Community Edition through 1.2.9 is vulnerable to a local symlink attack via predictable file paths in /tmp. The statistics file path defaults to '/tmp/fastnetmon.dat' (src/fastnetmon.cpp line 159). The print_screen_contents_into_file() function (src/fastnetmon_logic.cpp line 2186) opens this path with std::ios::trunc without checking for symlinks or using O_NOFOLLOW. Additionally, the chmod() call on line 2190 always operates on cli_stats_file_path regardless of which file_path parameter was passed (a bug that applies wrong permissions), and the umask is set to 0 during daemonization (src/fastnetmon.cpp line 1821), making all created files world-writable. A local attacker can exploit this to overwrite arbitrary files as the FastNetMon process user (typically root).

Note You need to log in before you can comment on or make changes to this bug.