CVE-2025-27591: 
Rust vulnerability analysis and mitigation

A privilege escalation vulnerability was discovered in Below, a Linux tool for recording and displaying system data, tracked as CVE-2025-27591. The vulnerability affects versions prior to v0.9.0 and stems from incorrect permission assignments in the system. The issue was discovered in January 2025 and publicly disclosed on March 12, 2025 (SecurityOnline, OpenWall).

The vulnerability exists due to the Below service creating a world-writable directory at /var/log/below with 0777 permissions. The service runs with root privileges and attempts to ensure the directory has these permissions even if it already exists. The behavior varies across Linux distributions: in openSUSE Tumbleweed and Gentoo Linux, the directory is created with mode 01755; in Fedora Linux, it's packaged with 01777 permissions; and in Arch Linux AUR, the directory is created with mode 0777. Additionally, Below creates a log file at /var/log/below/error_root.log with mode 0666 permissions (OpenWall). The vulnerability has been assigned a CVSS score of 7.8 (SecurityOnline).

The vulnerability allows local unprivileged users to escalate their privileges to root through symlink attacks. An attacker can manipulate files such as /etc/shadow by exploiting the world-writable permissions. The world-readable permissions applied by Below under /var/log/below could also lead to information leaks, and an unprivileged user can pre-create this directory and control its contents, potentially violating Below's integrity (SecurityOnline).

The vulnerability has been patched in Below version 0.9.0. Users are advised to upgrade to this version. As a temporary workaround, users can manually change the permissions on /var/log/below to more restrictive settings (SecurityOnline).