Skip to main content

Severity by source

Vendor (redhat) PRIMARY
7.0 HIGH
AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.0 MEDIUM
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 28, 2026 - 07:52 vuln.today
CVE Published
May 28, 2026 - 05:59 nvd
HIGH 7.0

DescriptionCVE.org

A command injection vulnerability was discovered in the rpmuncompress utility of RPM. When extracting certain archive formats (ZIP, 7z, GEM) to a specified destination directory, the tool inserts the archive's top-level folder name into a shell command without properly sanitizing it. A specially crafted archive containing shell metacharacters in its folder name can execute arbitrary commands as the user running the extraction.

AnalysisAI

Command injection in the rpmuncompress utility of RPM allows local attackers to execute arbitrary commands when a victim extracts a maliciously crafted ZIP, 7z, or GEM archive whose top-level folder name contains shell metacharacters. The flaw affects Red Hat Enterprise Linux 6 through 10 and downstream products including OpenShift Container Platform 4, Satellite 6, Red Hat Hardened Images, and Quarkus Native Builder. No public exploit identified at time of analysis, and the issue requires user interaction with an attacker-supplied archive, but successful exploitation yields full code execution under the extracting user's identity.

Technical ContextAI

RPM (RPM Package Manager) is the foundational package management system for Red Hat-based Linux distributions. The rpmuncompress helper utility is invoked to extract auxiliary archive payloads in non-rpm formats (ZIP, 7z, and Ruby GEM) to a target directory. The root cause is CWE-78 (Improper Neutralization of Special Elements used in an OS Command): the utility constructs a shell command string that embeds the archive's top-level directory name without escaping or quoting it, so embedded shell metacharacters such as backticks, $(...), semicolons, or pipes are interpreted by the shell rather than treated as literal filename data. The affected component is bundled into the rpm package shipped with every supported RHEL release (6, 7, 8, 9, 10) as well as multiple Red Hat layered products that consume the same RPM tooling - Pen Drive Powered By Red Hat Lightspeed, Quarkus Native Builder, and Red Hat Hardened Images.

RemediationAI

Patch availability not independently confirmed from the supplied intelligence - monitor https://access.redhat.com/security/cve/CVE-2026-44604 and https://bugzilla.redhat.com/show_bug.cgi?id=2460967 for the released RHSA errata and apply the updated rpm package via dnf update rpm or yum update rpm on each affected RHEL 6/7/8/9/10 host, with corresponding rebuilds for OpenShift, Satellite, Hardened Images, Quarkus Native Builder, and Lightspeed. Until the patch is deployed, avoid invoking rpmuncompress (directly or transitively via rpmbuild/dnf workflows) on ZIP, 7z, or GEM archives obtained from untrusted sources; gate archive ingestion in CI/CD pipelines by validating that the top-level directory name in the archive contains only safe characters (alphanumerics, dot, dash, underscore) before extraction, recognizing that this adds a pre-processing step and may reject legitimate archives with unusual but benign names. Restrict the accounts under which automated extraction runs (least-privilege build users, containerized extraction with no-new-privileges and read-only host mounts) so that successful injection is contained to a low-impact identity.

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected
SUSE Linux Enterprise Micro 5.3 Not-Affected
SUSE Linux Enterprise Micro 5.4 Not-Affected
SUSE Linux Enterprise Micro 5.5 Not-Affected

Share

CVE-2026-44604 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy