Description

malcontent discovers supply-chain compromises through. context, differential analysis, and YARA. Starting in version 1.8.0 and prior to version 1.20.3, malcontent could be made to create symlinks outside the intended extraction directory when scanning a specially crafted tar or deb archive. The `handleSymlink` function received arguments in the wrong order, causing the symlink target to be used as the symlink location. Additionally, symlink targets were not validated to ensure they resolved within the extraction directory. Version 1.20.3 introduces fixes that swap handleSymlink arguments, validate symlink location, and validate symlink targets that resolve within an extraction directory.

INFO

Published Date :

2026-01-29T21:12:18.991Z

Last Modified :

2026-01-29T21:37:29.730Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-24846 vulnerability.

Vendors Products
Chainguard
  • Malcontent
Chainguard-dev
  • Malcontent
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-24846.

URL Resource
https://github.com/chainguard-dev/malcontent/commit/259fca5abc004f3ab238895463ef280a87f30e96 cve-icon cve-icon
https://github.com/chainguard-dev/malcontent/commit/a7dd8a5328ddbaf235568437813efa7591e00017 cve-icon cve-icon
https://github.com/chainguard-dev/malcontent/security/advisories/GHSA-923j-vrcg-hxwh cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact