Symlink Vulnerability in Malcontent Affecting Supply Chain Security
CVE-2026-24846

5.5MEDIUM

Key Information:

Vendor

Chainguard-dev

Status
Malcontent
Vendor
CVE Published:
29 January 2026

What is CVE-2026-24846?

Malcontent, a tool for supply chain security, has identified a vulnerability that allows the creation of symbolic links outside the specified extraction directory when processing specially crafted tar or deb archives. The flaw lies in the improper handling of arguments within the handleSymlink function, which led to symlink targets being incorrectly used as the symlink location. Furthermore, symlink targets were not adequately validated, posing a risk of exposure to unintended directories. Version 1.20.3 includes essential fixes, including a swap of arguments in the handleSymlink function, as well as enhanced validation checks to ensure that symlink targets resolve correctly within the intended extraction directory.

Affected Version(s)

malcontent >= 1.8.0, < 1.20.3

References

https://github.com/chainguard-dev/malcontent/security/adv...
x_refsource_CONFIRM
https://github.com/chainguard-dev/malcontent/commit/259fc...
x_refsource_MISC
https://github.com/chainguard-dev/malcontent/commit/a7dd8...
x_refsource_MISC

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.