Command Injection Vulnerability in RPM Utility Affects Red Hat
CVE-2026-44604

7HIGH

Key Information:

Vendor

Red Hat
Status
Pen Drive Powered By Red Hat Lightspeed
Red Hat Build Of Quarkus Native Builder
Red Hat Enterprise Linux 10
Red Hat Enterprise Linux 6
Vendor
CVE Published:
28 May 2026

What is CVE-2026-44604?

A command injection vulnerability exists in the rpmuncompress utility of RPM, which allows attackers to insert arbitrary commands into the extraction process. This occurs when the utility processes certain archive formats, such as ZIP, 7z, and GEM. If the archive's top-level folder name contains shell metacharacters, it can result in the execution of arbitrary commands under the user running the extraction. This poses a significant risk to systems using vulnerable RPM versions, enabling potential exploitation through maliciously crafted archives.

References

https://access.redhat.com/security/cve/CVE-2026-44604
vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2460967
issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:
7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.