CVE-2026-46486

描述

### Summary The `fileID` field from `Manifest.db` (a SQLite database inside iOS backups, generated by the device) is used directly in filesystem path construction without validation. This affects two commands through a shared code path: - **`mvt-ios decrypt-backup`** (`decrypt.py`): `file_id` is used to construct both read source and write destination paths. Traversal sequences in `file_id` cause decrypted content to be written to an arbitrary location on the analyst's filesystem. - **`mvt-ios check-backup`** (via `_get_backup_file_from_id()` in `ios/modules/base.py`): the same unvalidated `fileID` resolves to files outside the backup directory, which are then opened and parsed. Parsed contents flow into JSON results and CSV timeline. ### Impact **File write (decrypt-backup):** An adversary delivering a crafted iOS backup can cause attacker controlled content to be written to arbitrary paths writable by the analyst process. This could be leveraged for code execution via shell profile modification or SSH key injection. Severity is assessed as Moderate because exploitation requires a specifically crafted malicious bundle to be parsed by the analyst. There are trust mitigations between stakeholders involved in the handoff of the sample that reduce the likelihood of this scenario. **File read (check-backup):** An adversary can force MVT to open and parse files outside the backup directory. Practical exploitation is reduced as it requires the attacker to know or guess the analyst’s directory layout for cross-case targeting, and the traversed file from the host must be a valid SQLite database or plist whose schema matches what the specific MVT module expects. ### Patched version [2026.5.12](https://github.com/mvt-project/mvt/releases/tag/v2026.5.12) ### Credits This issue was identified during a security assessment conducted by 0xche.

如何修補 CVE-2026-46486

要修補 CVE-2026-46486,請將受影響套件升級到下列已修補版本。

• —升級至 2026.5.12 或更新版本

CVE-2026-46486 正在被利用嗎?

目前沒有被利用訊號。CVE-2026-46486 既不在 CISA KEV 也沒有最新的 EPSS 分數。

受影響套件(1)