FKIE_CVE-2026-24049

Vulnerability from fkie_nvd - Published: 2026-01-22 05:16 - Updated: 2026-02-18 14:56
Severity ?
7.1 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Summary
wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2.
References
security-advisories@github.comhttps://github.com/pypa/wheel/commit/7a7d2de96b22a9adf9208afcc9547e1001569fefPatch
security-advisories@github.comhttps://github.com/pypa/wheel/releases/tag/0.46.2Product, Release Notes
security-advisories@github.comhttps://github.com/pypa/wheel/security/advisories/GHSA-8rrh-rw8j-w5fxExploit, Mitigation, Vendor Advisory
Impacted products
Vendor Product Version
wheel_project wheel *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:wheel_project:wheel:*:*:*:*:*:python:*:*",
              "matchCriteriaId": "977849BE-E1EA-4B60-AF30-9C248A8B9635",
              "versionEndExcluding": "0.46.2",
              "versionStartIncluding": "0.40.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2."
    },
    {
      "lang": "es",
      "value": "wheel es una herramienta de l\u00ednea de comandos para manipular archivos wheel de Python, seg\u00fan se define en PEP 427. En las versiones 0.40.0 a 0.46.1, la funci\u00f3n unpack es vulnerable a la modificaci\u00f3n de permisos de archivos debido a un manejo incorrecto de los permisos de archivos despu\u00e9s de la extracci\u00f3n. La l\u00f3gica conf\u00eda ciegamente en el nombre de archivo del encabezado del archivo comprimido para la operaci\u00f3n chmod, a pesar de que el propio proceso de extracci\u00f3n podr\u00eda haber saneado la ruta. Los atacantes pueden crear un archivo wheel malicioso que, al ser descomprimido, cambia los permisos de archivos cr\u00edticos del sistema (por ejemplo, /etc /passwd, claves SSH, archivos de configuraci\u00f3n), permitiendo la escalada de privilegios o la ejecuci\u00f3n de c\u00f3digo arbitrario al modificar scripts ahora escribibles. Este problema ha sido solucionado en la versi\u00f3n 0.46.2."
    }
  ],
  "id": "CVE-2026-24049",
  "lastModified": "2026-02-18T14:56:48.657",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-01-22T05:16:23.157",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/pypa/wheel/commit/7a7d2de96b22a9adf9208afcc9547e1001569fef"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/pypa/wheel/releases/tag/0.46.2"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/pypa/wheel/security/advisories/GHSA-8rrh-rw8j-w5fx"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        },
        {
          "lang": "en",
          "value": "CWE-732"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.