CVE-2026-24846
MEDIUM5.5EPSS 0.01%malcontent vulnerable to symlink Path Traversal via handleSymlink argument confusion in archive extraction
Description
malcontent could be made to create symlinks outside the intended extraction directory when scanning a specially crafted tar or deb archive. The `handleSymlink` function received arguments in the wrong order, causing the symlink target to be used as the symlink location. Additionally, symlink targets were not validated to ensure they resolved within the extraction directory. **Fixes:** - [Swap handleSymlink arguments; validate symlink location](https://github.com/chainguard-dev/malcontent/commit/a7dd8a5328ddbaf235568437813efa7591e00017) - [Validate symlink targets resolve within extraction directory](https://github.com/chainguard-dev/malcontent/commit/259fca5abc004f3ab238895463ef280a87f30e96) **Acknowledgements** Thank you to Oleh Konko from [1seal](https://1seal.org/) for discovering and reporting this issue.
Affected packages (2)
- Go/github.com/chainguard-dev/malcontent>= 1.8.0, < 1.20.3
- Go/github.com/chainguard-dev/malcontent>= 1.8.0, < 1.20.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.5 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |
References (5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-24846
- PATCHhttps://github.com/chainguard-dev/malcontent
- WEBhttps://github.com/chainguard-dev/malcontent/commit/259fca5abc004f3ab238895463ef280a87f30e96
- WEBhttps://github.com/chainguard-dev/malcontent/commit/a7dd8a5328ddbaf235568437813efa7591e00017
- WEBhttps://github.com/chainguard-dev/malcontent/security/advisories/GHSA-923j-vrcg-hxwh