Strix
26.1K

CVE-2026-24846

MEDIUMCVSS 5/10EPSS 0.17%

Last modified

CVE-2026-24846 is a medium-severity vulnerability rated 5/10 on the CVSS scale. malcontent discovers supply-chain compromises through. context, differential analysis, and YARA. EPSS estimates a 0.17% chance of exploitation in the next 30 days.

Description

malcontent discovers supply-chain compromises through. context, differential analysis, and YARA. Starting in version 1.8.0 and prior to version 1.20.3, malcontent could be made to create symlinks outside the intended extraction directory when scanning a specially crafted tar or deb archive. The `handleSymlink` function received arguments in the wrong order, causing the symlink target to be used as the symlink location. Additionally, symlink targets were not validated to ensure they resolved within the extraction directory. Version 1.20.3 introduces fixes that swap handleSymlink arguments, validate symlink location, and validate symlink targets that resolve within an extraction directory.

Metrics

CVSS 3.1
5/10

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N

EPSS Probability
0.17%

6.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
ChainguardMalcontent>= 1.8.0, < 1.20.3

References

Timeline

Published
Last Modified
Status
Analyzed

Frequently Asked Questions

What is CVE-2026-24846?
malcontent discovers supply-chain compromises through. context, differential analysis, and YARA. Starting in version 1.8.0 and prior to version 1.20.3, malcontent could be made to create symlinks outside the intended extraction directory when scanning a specially crafted tar or deb archive. The `handleSymlink` function received arguments in the wrong order, causing the symlink target to be used as the symlink location. Additionally, symlink targets were not validated to ensure they resolved within the extraction directory. Version 1.20.3 introduces fixes that swap handleSymlink arguments, validate symlink location, and validate symlink targets that resolve within an extraction directory.
How severe is CVE-2026-24846?
CVE-2026-24846 has a CVSS score of 5/10 (MEDIUM severity). The EPSS model estimates a 0.17% probability of exploitation in the next 30 days.
How do I fix CVE-2026-24846?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2026-24846?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST