CVE-2026-24846

EPSS 0.17%
Veröffentlicht 29.01.2026 21:12:18
Zuletzt bearbeitet 24.02.2026 19:51:41
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

malcontent's archive extraction could write outside extraction directory

malcontent discovers supply-chain compromises through. context, differential analysis, and YARA. Starting in version 1.8.0 and prior to version 1.20.3, malcontent could be made to create symlinks outside the intended extraction directory when scanning a specially crafted tar or deb archive. The `handleSymlink` function received arguments in the wrong order, causing the symlink target to be used as the symlink location. Additionally, symlink targets were not validated to ensure they resolved within the extraction directory. Version 1.20.3 introduces fixes that swap handleSymlink arguments, validate symlink location, and validate symlink targets that resolve within an extraction directory.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 6

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Chainguard ≫ Malcontent Version >= 1.8.0 < 1.20.3

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.17%	0.063

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5	1.3	3.6	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
security-advisories@github.com	5.5	1.8	3.6	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

CWE-683 Function Call With Incorrect Order of Arguments

The product calls a function, procedure, or routine, but the caller specifies the arguments in an incorrect order, leading to resultant weaknesses.

https://github.com/chainguard-dev/malcontent/security/advisories/GHSA-923j-vrcg-hxwh

Vendor Advisory

https://github.com/chainguard-dev/malcontent/commit/259fca5abc004f3ab238895463ef280a87f30e96

Patch

https://github.com/chainguard-dev/malcontent/commit/a7dd8a5328ddbaf235568437813efa7591e00017

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-24846

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-24846

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-24846

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-24846