DIBT-CVE 20260526-0002 Symlink Following in chown/chmod (CRITICAL)

  • Classification: CWE-59 — Improper Link Resolution Before File Access
  • Severity: Critcal

Description:

The set_perm() function applies chown and chmod without the -h / --no-dereference flag.

The issue has been reported as CVE-2026-12503.

Impact:

/etc/passwd becomes owned by root:larmapp with mode 660, making it writable by larmapp.

Mitigation:

Upgrade to firmware 8.4.18.