Insecure Temporary File Handling in GNU Gzip's Gzexe Utility
CVE-2026-41991

2LOW

Key Information:

Vendor: Gnu
Status: Gzip
Vendor: CVE Published:; 29 June 2026

What is CVE-2026-41991?

The gzexe utility in GNU gzip is susceptible to a vulnerability stemming from insecure handling of temporary files. When the mktemp utility is absent from the user’s PATH, gzexe resorts to generating a temporary file path using just the process ID (PID). This predictable filename does not incorporate exclusive access or existence validation, which permits a local attacker to preemptively create a symbolic link at the anticipated temporary file location. When gzexe operates, it may follow this symbolic link, inadvertently overwriting a different file that the attacker has targeted. This flaw results in a time-of-check to time-of-use (TOCTOU) condition, ultimately enabling unauthorized file overwrite attacks. This issue has been rectified in the commit 4e6f8b24ab823146ab8776f0b7fe486ab34d4269.

Affected Version(s)

gzip 0 <= 1.14

References

https://cert.pl/en/posts/2026/04/CVE-2026-41991/

third-party-advisory

https://www.gnu.org/software/gzip/

product

https://cgit.git.savannah.gnu.org/cgit/gzip.git/commit/?i...

patch

CVSS V4

Score:

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Local

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 29, 2026
Vulnerability Reserved
Apr 23, 2026

Credit

Michał Majchrowicz (AFINE)

Marcin Wyczechowski (AFINE)

CVE-2026-41991 Data

JSON