What is the CVSS score of CVE-2026-44604?

CVE-2026-44604 has a CVSS 3.1 base score of 7.0 (High). CVSS vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of RPM rpmuncompress are affected by CVE-2026-44604?

A command injection vulnerability in RPM's rpmuncompress utility affects Red Hat Enterprise Linux 6-10 and downstream products including OpenShift Container Platform, Satellite, and Hardened Images.

RPM rpmuncompress CVE-2026-44604

EUVD-2026-32726 HIGH

OS Command Injection (CWE-78)

2026-05-28 redhat

GHSA-q856-29gm-xf3x

Command Injection

7.0

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

May 28, 2026 - 07:52 vuln.today

CVE Published

May 28, 2026 - 05:59 nvd

HIGH 7.0

DescriptionNVD

A command injection vulnerability was discovered in the rpmuncompress utility of RPM. When extracting certain archive formats (ZIP, 7z, GEM) to a specified destination directory, the tool inserts the archive's top-level folder name into a shell command without properly sanitizing it. A specially crafted archive containing shell metacharacters in its folder name can execute arbitrary commands as the user running the extraction.

AnalysisAI

Command injection in the rpmuncompress utility of RPM allows local attackers to execute arbitrary commands when a victim extracts a maliciously crafted ZIP, 7z, or GEM archive whose top-level folder name contains shell metacharacters. The flaw affects Red Hat Enterprise Linux 6 through 10 and downstream products including OpenShift Container Platform 4, Satellite 6, Red Hat Hardened Images, and Quarkus Native Builder. …

RemediationAI

Within 24 hours: identify and inventory all systems running RHEL 6-10, OpenShift Container Platform 4.x, Satellite 6.x, and Quarkus Native Builder in your environment; restrict archive extraction capabilities. Within 7 days: deploy compensating controls-disable or sandbox archive extraction operations, implement file integrity monitoring on extracted content, and enforce strict user permissions. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-44604 vulnerability details – vuln.today

Back

RPM rpmuncompress CVE-2026-44604

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code