CVE-2026-24846: malcontent vulnerable to symlink Path Traversal via handleSymlink argument confusion in archive extraction
(updated )
malcontent could be made to create symlinks outside the intended extraction directory when scanning a specially crafted tar or deb archive. The handleSymlink function received arguments in the wrong order, causing the symlink target to be used as the symlink location. Additionally, symlink targets were not validated to ensure they resolved within the extraction directory.
References
- github.com/advisories/GHSA-923j-vrcg-hxwh
- github.com/chainguard-dev/malcontent
- github.com/chainguard-dev/malcontent/commit/259fca5abc004f3ab238895463ef280a87f30e96
- github.com/chainguard-dev/malcontent/commit/a7dd8a5328ddbaf235568437813efa7591e00017
- github.com/chainguard-dev/malcontent/security/advisories/GHSA-923j-vrcg-hxwh
- nvd.nist.gov/vuln/detail/CVE-2026-24846
Code Behaviors & Features
Detect and mitigate CVE-2026-24846 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →