PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-48693 Pavel Odintsov CVE debrief

FastNetMon Community Edition through 1.2.9 contains a local symlink attack vulnerability stemming from insecure temporary file handling. The application defaults to writing statistics data to a predictable path at /tmp/fastnetmon.dat, which it opens with truncation semantics without symlink validation or O_NOFOLLOW protections. A secondary implementation error causes chmod operations to target a fixed path regardless of which file_path parameter was passed, while the daemonization process sets umask to 0, resulting in world-writable file creation. These conditions enable a local attacker with unprivileged access to create a symlink at the predictable path and redirect file operations to arbitrary target files writable by the FastNetMon process user, which typically runs as root. The vulnerability is classified as CWE-59 (Improper Link Resolution Before File Access).

Vendor
Pavel Odintsov
Product
Fastnetmon
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-26
Original CVE updated
2026-05-27
Advisory published
2026-05-26
Advisory updated
2026-05-27

Who should care

System administrators running FastNetMon Community Edition on multi-user systems or with root privileges; security teams monitoring for local privilege escalation vectors; DevOps engineers deploying FastNetMon in containerized or shared environments where /tmp isolation may be insufficient

Technical summary

The vulnerability exists in FastNetMon Community Edition's statistics output functionality. The default configuration writes to /tmp/fastnetmon.dat, a predictable path in a world-writable directory. The implementation uses std::ios::trunc for file operations without O_NOFOLLOW or symlink checks, creating a time-of-check to time-of-use (TOCTOU) race condition. A chmod implementation bug applies permissions to a hardcoded path rather than the passed parameter, and umask 0 during daemonization causes all created files to be world-writable. A local attacker can exploit this by placing a symlink at the predictable path before the FastNetMon process writes statistics, causing arbitrary file overwrite with attacker-controlled content as the process user.

Defensive priority

medium

Recommended defensive actions

  • Upgrade FastNetMon Community Edition to a version newer than 1.2.9 when available, or apply vendor-provided patches addressing symlink handling in temporary file operations
  • Configure FastNetMon to use a non-predictable statistics file path outside of world-writable directories such as /tmp, preferably in a dedicated application directory with restricted permissions
  • Implement filesystem-level protections by mounting /tmp with nosuid,nodev,noexec options and consider using private tmp directories via systemd or equivalent isolation mechanisms
  • Review and restrict local user access to systems running FastNetMon, as exploitation requires local access to create symlinks
  • Monitor for anomalous file creation or modification activity in /tmp and unexpected chmod operations on system files
  • If running FastNetMon as root is required, consider using Linux capabilities or seccomp profiles to restrict file operation syscalls and reduce attack surface
  • Audit existing FastNetMon installations for world-writable files created due to umask 0 configuration and remediate inappropriate permissions

Evidence notes

Vulnerability description identifies specific source file locations: src/fastnetmon.cpp line 159 (default statistics path), src/fastnetmon_logic.cpp line 2186 (print_screen_contents_into_file function with std::ios::trunc), and line 2190 (chmod bug). Umask 0 set during daemonization at src/fastnetmon.cpp line 1821. CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N indicates local attack vector with low complexity, low privileges required, and high integrity impact.

Official resources

2026-05-26