Symlink — CraftedSignal Threat Feed

CVE-2025-68146 filelock TOCTOU Race Condition Enables Symlink Attacks

hello@craftedsignal.io — Wed, 29 Apr 2026 07:50:36 +0000

CVE-2025-68146 is a security vulnerability residing within the filelock library, a widely used Python library for file locking. The vulnerability stems from a Time-of-Check Time-of-Use (TOCTOU) race condition that occurs during the creation of lock files. This weakness can be exploited by a local attacker to perform symlink attacks. By carefully manipulating the file system, an attacker can potentially redirect the lock creation process to a file location they control. This is a locally exploitable vulnerability with potential for privilege escalation and unauthorized access, but requires local access to the vulnerable system. The advisory was published on April 29, 2026.

Attack Chain

Attacker gains initial local access to the system.
Attacker identifies an application utilizing the vulnerable filelock library for file locking operations.
Attacker creates a symbolic link (symlink) pointing the expected lock file path to a file location under their control.
The vulnerable application attempts to create a lock file at the expected location.
Due to the TOCTOU race condition, between the time the application checks for the existence of the lock file and the time it attempts to create it, the symlink is followed.
The lock file is created in the attacker-controlled location instead of the intended secure location.
The application continues execution, believing it has exclusive access, while the attacker can potentially modify or access the protected resource.

Impact

Successful exploitation of CVE-2025-68146 allows an attacker to manipulate file locking mechanisms, potentially leading to unauthorized modification or access to sensitive files. This can lead to data corruption, privilege escalation, or denial of service. The vulnerability requires local access, limiting the scope of potential attacks, but can be a critical issue in multi-user environments or systems with sensitive data.

Recommendation

Apply patches or updates provided by the vendor (Microsoft) to address CVE-2025-68146 when they become available.
Implement file integrity monitoring to detect unauthorized modifications to critical files and directories.
Deploy the Sigma rule provided below to detect suspicious symlink creation attempts that might indicate exploitation of this TOCTOU vulnerability.

OpenClaw Symlink Vulnerability in SSH Sandbox Tar Upload (CVE-2026-41364)

hello@craftedsignal.io — Tue, 28 Apr 2026 00:16:25 +0000

OpenClaw versions before 2026.3.31 are vulnerable to a symlink following issue within the SSH sandbox tar upload functionality. This vulnerability, identified as CVE-2026-41364, allows a remote attacker with the ability to upload tar archives to the OpenClaw instance to potentially escape the intended sandbox environment. By crafting a malicious tar archive containing carefully constructed symbolic links, an attacker can overwrite arbitrary files on the remote host, leading to a compromise of the system’s integrity. This vulnerability was reported and patched in version 2026.3.31. Defenders need to ensure they are running patched versions to mitigate the risk of exploitation.

Attack Chain

Attacker authenticates to the OpenClaw instance via SSH, gaining access to the restricted sandbox environment.
Attacker crafts a malicious tar archive containing symbolic links pointing outside the intended sandbox directory. These symlinks are designed to target specific files or directories on the host system that the attacker wishes to overwrite.
Attacker uploads the malicious tar archive to the OpenClaw instance using the SSH sandbox tar upload functionality.
OpenClaw extracts the contents of the uploaded tar archive without properly validating or restricting the target paths of the symbolic links.
During extraction, the symbolic links are followed, causing files to be written outside the intended sandbox directory.
The attacker overwrites arbitrary files on the remote host with attacker-controlled content.
The attacker achieves arbitrary code execution or persistence by overwriting critical system files or configuration files.
The attacker escalates privileges by modifying binaries used by privileged users.

Impact

Successful exploitation of this vulnerability allows a remote attacker with low privileges to write arbitrary files on the OpenClaw server. This can lead to a variety of impacts, including arbitrary code execution, privilege escalation, and denial of service. An attacker could potentially gain complete control over the OpenClaw server by overwriting critical system files. Given the potential for complete system compromise, this vulnerability poses a significant risk to organizations using affected versions of OpenClaw.

Recommendation

Upgrade OpenClaw to version 2026.3.31 or later to patch CVE-2026-41364.
Deploy the Sigma rule “Detect Suspicious Tar Archive Upload with Symlinks” to detect attempts to upload malicious tar archives containing symbolic links.
Monitor SSH logs for suspicious activity related to tar archive uploads to the OpenClaw instance.

compressing npm Package Symlink Bypass Vulnerability

hello@craftedsignal.io — Sat, 18 Apr 2026 12:00:00 +0000

The compressing npm package (v2.1.0 and earlier) contains a critical vulnerability that permits arbitrary file overwrites due to a symlink path traversal bypass. This bypass affects the patch for CVE-2026-24884. The vulnerability arises from an incomplete validation in the isPathWithinParent utility, where path string checks are performed without verifying the filesystem state, specifically symbolic links. By cloning a malicious repository containing a pre-existing symbolic link, a victim unknowingly plants a “poisoned path” on their system. The attacker can then craft a malicious archive that, when extracted by the vulnerable library, follows the symlink and overwrites arbitrary files. The ease of exploitation via git clone makes this vulnerability particularly dangerous.

Attack Chain

Attacker creates a malicious Git repository containing a symbolic link (e.g., config_file) pointing to a sensitive target file or directory (e.g., /tmp/fake_root/etc/passwd).
Attacker generates a malicious payload (e.g., payload.tar) containing a file with the same name as the symbolic link (e.g., config_file) and uploads both to their Git repository.
Victim clones the attacker’s Git repository using git clone. This action automatically restores the symbolic link on the victim’s system.
Victim runs an application that utilizes the vulnerable compressing library to extract the payload.tar archive.
The compressing library’s isPathWithinParent function resolves the path to the file being extracted. Due to lack of lstat checks, the symbolic link is not detected.
The fs.writeFile function follows the symlink, writing the contents of the file from payload.tar to the targeted sensitive file (e.g., /tmp/fake_root/etc/passwd).
Arbitrary file overwrite occurs, potentially leading to privilege escalation or code execution.
Attacker achieves persistent access or control by overwriting critical system files.

Impact

Successful exploitation allows attackers to overwrite arbitrary files on the victim’s system, potentially leading to privilege escalation by modifying sensitive system files such as /etc/passwd. Remote Code Execution (RCE) can be achieved by overwriting executable binaries or startup scripts. Data corruption can also occur through the modification of application data or database files. This vulnerability impacts developers and organizations using the compressing library up to version v2.1.0 when extracting untrusted archives.

Recommendation

Upgrade the compressing npm package to a patched version that includes proper symlink handling. This is the primary remediation.
Inspect Git repositories for suspicious symbolic links before cloning. Use git ls-tree -r | grep 120000 to search for symlinks in a repository.
Implement runtime monitoring for file writes to unexpected locations based on the compressing library’s activity. Create a detection rule based on process_creation and file_event to detect writes to sensitive directories such as /etc by processes spawned by Node.js that also load the vulnerable compressing module.
Monitor network connections originating from processes related to the compressing library after file extraction. Create a Sigma rule based on network_connection and process_creation to detect unusual outbound connections after archive extraction.

Dell AppSync 4.6.0 UNIX Symbolic Link Following Vulnerability (CVE-2026-22767)

hello@craftedsignal.io — Wed, 01 Apr 2026 13:16:33 +0000

Dell AppSync version 4.6.0 contains a UNIX Symbolic Link (Symlink) Following vulnerability, identified as CVE-2026-22767. This vulnerability enables a low-privileged attacker with local access to exploit the system and potentially tamper with sensitive information. The vulnerability was disclosed on April 1, 2026. Defenders should be aware of the potential for local privilege escalation and information tampering due to this vulnerability. Addressing this vulnerability is critical to maintaining the integrity and confidentiality of data managed by Dell AppSync.

Attack Chain

Attacker gains local access to the system running Dell AppSync 4.6.0.
Attacker identifies a directory writable by low-privileged users where AppSync improperly handles symlinks.
Attacker creates a malicious symbolic link pointing to a sensitive system file (e.g., /etc/shadow, configuration files).
AppSync, while performing its normal operations, follows the symbolic link created by the attacker.
AppSync attempts to access or modify the target file through the symlink.
Due to insufficient permission checks, AppSync inappropriately overwrites, reads, or modifies the sensitive file.
Attacker leverages the modified sensitive file to escalate privileges or gain unauthorized access.
Attacker achieves the objective of information tampering by modifying application data.

Impact

Successful exploitation of CVE-2026-22767 can lead to information tampering on systems running Dell AppSync 4.6.0. A low-privileged attacker with local access could potentially modify system or application configurations, leading to unauthorized access or disruption of services. The impact includes potential data corruption, privilege escalation, and a compromise of the overall system security posture.

Recommendation

Apply the security update provided by Dell as detailed in DSA-2026-163 to remediate CVE-2026-22767 (https://www.dell.com/support/kbdoc/en-us/000446965/dsa-2026-163-security-update-for-dell-appsync-vulnerabilities).
Implement the “Detect Suspicious Symlink Creation” Sigma rule to identify potentially malicious symlink activity on systems running Dell AppSync.
Monitor file system events for unexpected modifications to sensitive files, particularly those targeted by symlinks, using the “Detect Sensitive File Tampering via Symlink” Sigma rule.

RegPwnBOF Registry Symlink Race Condition Exploit

hello@craftedsignal.io — Thu, 19 Mar 2026 05:23:44 +0000

RegPwnBOF is an exploit leveraging a registry symlink race condition within the Windows Accessibility ATConfig mechanism. This vulnerability allows an unprivileged user to manipulate protected areas of the registry, specifically HKLM, which are typically reserved for administrators or system processes. By exploiting this race condition, an attacker can write arbitrary values to these protected keys. The initial report surfaced around March 2026, highlighting the potential for unauthorized persistence and privilege escalation. This circumvents standard Windows security controls, posing a significant risk to system integrity and confidentiality. The exploit’s accessibility to non-administrator users makes it particularly dangerous in environments where least-privilege principles are not strictly enforced.

Attack Chain

An unprivileged user initiates the ATConfig mechanism within the Windows Accessibility features.
The exploit creates a registry symlink pointing to a protected HKLM key.
A race condition is triggered during the ATConfig process, allowing the exploit to bypass security checks.
The attacker leverages this race condition to overwrite the target HKLM registry key with arbitrary data.
The modified registry key is used to establish persistence, for example, by creating a Run key.
Upon system restart or user login, the malicious payload associated with the modified Run key is executed.
The attacker gains elevated privileges by executing code within the context of a privileged process.

Impact

Successful exploitation of RegPwnBOF allows an attacker to gain persistent access to a compromised system and escalate their privileges to administrator level. This can lead to complete system compromise, data theft, and the installation of malware. The impact is magnified by the fact that this exploit can be triggered by a normal user, bypassing traditional access controls. The number of potential victims is considerable, as the vulnerability exists within the Windows Accessibility features, which are enabled by default on many systems.

Recommendation

Monitor registry modifications targeting HKLM keys, especially those related to Accessibility features, using a process_creation log source and the provided Sigma rules.
Implement strict access controls and least-privilege principles to limit the ability of unprivileged users to interact with system-level configurations.
Investigate any unusual registry symlink creation events using file_event logs, particularly those involving the ATConfig mechanism, to identify potential RegPwnBOF exploitation attempts.

Kata Containers CopyFile Policy Subversion via Symlinks

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

An oversight in the CopyFile policy within Kata Containers allows a malicious host to manipulate guest workload images. The vulnerability stems from insufficient validation within the CopyFileRequest policy, specifically related to symlink creation. The policy primarily checks the destination path of copied files but fails to adequately validate the target of symlinks created via the same API. This flaw was discovered by @calonso-nv and impacts environments where the genpolicy implementation is used to prevent host access to container images, including Confidential Containers workloads which rely on strong isolation. If the guest image is not protected from the host (e.g., when using unprotected host pull), the system is not vulnerable. The affected package is go/github.com/kata-containers/kata-containers versions prior to 0.0.0-20260422180503-1b9e49eb2763.

Attack Chain

The attacker identifies a target file within the guest container image, such as a binary or configuration file they wish to overwrite.
The attacker crafts a CopyFileRequest to create a symbolic link within the /run/kata-containers/shared/containers directory.
The path parameter of the request specifies the location of the symlink within the shared directory.
The data parameter of the request specifies the target of the symbolic link, which points to the target file identified in step 1, inside the guest file system.
The Kata Agent processes the CopyFileRequest, creating the symbolic link within the shared directory, pointing to the target file inside the container image.
The attacker crafts a second CopyFileRequest to copy malicious data into the symlink created in step 5.
The Kata Agent writes the malicious data to the symlink, which then overwrites the original target file within the container image.
The attacker restarts the container or waits for the compromised binary to be executed, achieving arbitrary code execution within the guest.

Impact

Successful exploitation allows attackers to overwrite arbitrary files within container images managed by Kata Containers. This can lead to arbitrary code execution within the guest environment, data exfiltration, and privilege escalation. This is particularly critical in Confidential Containers environments where the trust model explicitly forbids host access to container images. Affected systems are those employing the upstream genpolicy implementation.

Recommendation

Apply the patch or upgrade to go/github.com/kata-containers/kata-containers version 0.0.0-20260422180503-1b9e49eb2763 or later to address CVE-2026-41326.
Monitor the creation of symbolic links within the /run/kata-containers/shared/containers directory, using the provided Sigma rule, as this is an unusual operation (file_event).
Implement strict access controls and monitoring for the Kata Agent to prevent unauthorized CopyFileRequest messages.

OpenClaw Symlink Race Condition Allows Sandbox Escape

hello@craftedsignal.io — Tue, 02 Jan 2024 12:00:00 +0000

OpenClaw, a tool available via npm, contains a vulnerability in versions 2026.4.21 and earlier that could allow for a sandbox escape. This vulnerability stems from a time-of-check/time-of-use (TOCTOU) race condition during filesystem writes within the OpenShell sandbox environment. An attacker could potentially exploit this vulnerability by manipulating symlinks to redirect write operations outside of the intended local mount root. This can occur because OpenClaw does not properly validate the target of write operations against the mount root, leaving it susceptible to symlink-based redirection attacks. Successful exploitation could allow an attacker to modify sensitive files outside the sandbox. The vulnerability is fixed in version 2026.4.22.

Attack Chain

An attacker crafts a malicious OpenClaw package or leverages an existing package.
The package contains a symlink within the intended sandbox directory.
The OpenClaw application attempts to write to a file via the symlink.
Between the time OpenClaw checks the symlink and the time it performs the write operation, the attacker replaces the symlink with a new symlink pointing outside the intended sandbox root.
OpenClaw, due to the TOCTOU race condition, writes to the file location pointed to by the new symlink, which resides outside the sandbox.
This allows the attacker to overwrite or modify arbitrary files on the system.
The attacker leverages this capability to gain elevated privileges or compromise sensitive data.

Impact

Successful exploitation of this vulnerability could allow an attacker to bypass the intended security restrictions of the OpenClaw sandbox. An attacker could potentially overwrite system files, inject malicious code into existing applications, or steal sensitive data. While the exact number of affected installations is unknown, any system running a vulnerable version of OpenClaw is susceptible to this attack.

Recommendation

Upgrade to OpenClaw version 2026.4.22 or later to patch the vulnerability (reference: Affected Packages / Versions).
Monitor file system events for unexpected modifications outside of the expected OpenClaw sandbox directory. Deploy the Sigma rule Detect OpenClaw Sandbox Escape via Symlink to detect potential exploitation attempts.
Implement stricter file system access controls to limit the potential impact of successful exploitation (reference: Impact).

Apko DirFS Symlink Path Traversal Vulnerability

hello@craftedsignal.io — Tue, 02 Jan 2024 12:00:00 +0000

A path traversal vulnerability exists in apko’s DirFS component, specifically within the sanitizePath helper function in versions prior to 1.2.5. The vulnerability allows a malicious .apk file to install a TypeSymlink tar entry pointing outside the intended build root. Subsequent directory creation or file writing operations could then traverse this symbolic link, leading to unauthorized access and modification of files on the host system. This issue affects users of apko and downstream tools, such as melange, that embed vulnerable versions of the pkg/apk/fs package. The vulnerability was addressed in apko version 1.2.5 with the introduction of *os.Root, which prevents path traversal.

Attack Chain

An attacker crafts a malicious .apk file containing a TypeSymlink tar entry.
The symbolic link’s target is set to a path outside the intended build root, potentially targeting sensitive system directories.
The malicious .apk is processed using a vulnerable version of apko (prior to 1.2.5) via commands like apko build-cpio or through disk-backed consumers such as melange.
During tar extraction, the vulnerable sanitizePath function fails to properly resolve or refuse the malicious symlink.
A subsequent directory-creation or file-write operation is initiated within the same or a later archive entry.
The file operation traverses the previously created symbolic link, gaining access to the file system location outside the intended build root.
The attacker can then create directories or write files to the compromised location, potentially overwriting critical system files or injecting malicious code.
Successful exploitation can lead to privilege escalation and persistent compromise of the host system.

Impact

Successful exploitation of this vulnerability allows an attacker to write files to arbitrary locations on the host system. This can lead to privilege escalation if the attacker can overwrite setuid binaries or modify system configuration files. It can also lead to persistent compromise of the system if the attacker injects malicious code into startup scripts or other system files. While the exact number of victims is unknown, any system running a vulnerable version of apko (prior to 1.2.5) or tools embedding vulnerable versions of pkg/apk/fs, such as melange, is potentially at risk.

Recommendation

Upgrade apko to version 1.2.5 or later. This version includes a fix that prevents path traversal vulnerabilities as described in the advisory and commit f5a96e1.
If upgrading is not immediately feasible, avoid consuming APKs from untrusted sources. However, note that this does not fully eliminate the risk.
Monitor file creation events in sensitive directories for unexpected activity, especially after processing .apk files.