FKIE_CVE-2026-24846

Vulnerability from fkie_nvd - Published: 2026-01-29 22:15 - Updated: 2026-02-24 19:51
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
5.0 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
Summary
malcontent discovers supply-chain compromises through. context, differential analysis, and YARA. Starting in version 1.8.0 and prior to version 1.20.3, malcontent could be made to create symlinks outside the intended extraction directory when scanning a specially crafted tar or deb archive. The `handleSymlink` function received arguments in the wrong order, causing the symlink target to be used as the symlink location. Additionally, symlink targets were not validated to ensure they resolved within the extraction directory. Version 1.20.3 introduces fixes that swap handleSymlink arguments, validate symlink location, and validate symlink targets that resolve within an extraction directory.
References
security-advisories@github.comhttps://github.com/chainguard-dev/malcontent/commit/259fca5abc004f3ab238895463ef280a87f30e96Patch
security-advisories@github.comhttps://github.com/chainguard-dev/malcontent/commit/a7dd8a5328ddbaf235568437813efa7591e00017Patch
security-advisories@github.comhttps://github.com/chainguard-dev/malcontent/security/advisories/GHSA-923j-vrcg-hxwhVendor Advisory
Impacted products
Vendor Product Version
chainguard malcontent *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:chainguard:malcontent:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "07A5D3A2-09F1-44A0-AF84-E943CF3DC18C",
              "versionEndExcluding": "1.20.3",
              "versionStartIncluding": "1.8.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "malcontent discovers supply-chain compromises through. context, differential analysis, and YARA. Starting in version 1.8.0 and prior to version 1.20.3, malcontent could be made to create symlinks outside the intended extraction directory when scanning a specially crafted tar or deb archive. The `handleSymlink` function received arguments in the wrong order, causing the symlink target to be used as the symlink location. Additionally, symlink targets were not validated to ensure they resolved within the extraction directory. Version 1.20.3 introduces fixes that swap handleSymlink arguments, validate symlink location, and validate symlink targets that resolve within an extraction directory."
    },
    {
      "lang": "es",
      "value": "malcontent descubre compromisos en la cadena de suministro a trav\u00e9s de contexto, an\u00e1lisis diferencial y YARA. A partir de la versi\u00f3n 1.8.0 y antes de la versi\u00f3n 1.20.3, se pod\u00eda hacer que malcontent creara enlaces simb\u00f3licos fuera del directorio de extracci\u00f3n previsto al escanear un archivo tar o deb especialmente dise\u00f1ado. La funci\u00f3n \u0027handleSymlink\u0027 recibi\u00f3 argumentos en el orden incorrecto, lo que provocaba que el destino del enlace simb\u00f3lico se utilizara como la ubicaci\u00f3n del enlace simb\u00f3lico. Adem\u00e1s, los destinos de los enlaces simb\u00f3licos no se validaban para asegurar que se resolvieran dentro del directorio de extracci\u00f3n. La versi\u00f3n 1.20.3 introduce correcciones que intercambian los argumentos de \u0027handleSymlink\u0027, validan la ubicaci\u00f3n del enlace simb\u00f3lico y validan los destinos de los enlaces simb\u00f3licos que se resuelven dentro de un directorio de extracci\u00f3n."
    }
  ],
  "id": "CVE-2026-24846",
  "lastModified": "2026-02-24T19:51:41.880",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 5.0,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.3,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-01-29T22:15:54.740",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/chainguard-dev/malcontent/commit/259fca5abc004f3ab238895463ef280a87f30e96"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/chainguard-dev/malcontent/commit/a7dd8a5328ddbaf235568437813efa7591e00017"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/chainguard-dev/malcontent/security/advisories/GHSA-923j-vrcg-hxwh"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        },
        {
          "lang": "en",
          "value": "CWE-683"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.