Description
malcontent discovers supply-chain compromises through. context, differential analysis, and YARA. Starting in version 1.8.0 and prior to version 1.20.3, malcontent could be made to create symlinks outside the intended extraction directory when scanning a specially crafted tar or deb archive. The `handleSymlink` function received arguments in the wrong order, causing the symlink target to be used as the symlink location. Additionally, symlink targets were not validated to ensure they resolved within the extraction directory. Version 1.20.3 introduces fixes that swap handleSymlink arguments, validate symlink location, and validate symlink targets that resolve within an extraction directory.
Published: 2026-01-29
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized filesystem write
Action: Patch
AI Analysis

Impact

Malcontent, a tool for detecting supply‑chain compromises, contains a flaw in its archive‑extraction logic that allows an attacker to craft a tar or deb archive to create symbolic links outside the intended extraction directory. The handleSymlink function receives arguments in the wrong order, so the symlink target is used as the link location, and no validation ensures that the link remains within the extraction path. When an attacker supplies such an archive, the tool can write files to arbitrary locations on the filesystem, potentially modifying system files or overwriting critical data. This weakness is reflected in CWE‑22 (Absolute Path Traversal) and CWE‑683 (Trusting Incorrect Data Returned from a Standard Library Function).

Affected Systems

The vulnerability affects chainguard‑dev's Malcontent, specifically all releases from version 1.8.0 up to, but not including, version 1.20.3. Users running any of these versions are susceptible to arbitrary writes caused by maliciously crafted archives.

Risk and Exploitability

The CVSS score of 5.5 indicates a moderate severity, while an EPSS score of less than 1% suggests a very low likelihood of exploitation in the wild. Malcontent is not listed in the CISA Trusted Exploited Vulnerabilities catalog. An attacker would need to supply a specially crafted tar or deb file to the application—likely during an automated or user‑initiated scan—to exploit this flaw. Because the bug only affects the interpretation of symlink targets within archive extraction, it does not provide remote code execution but can lead to privilege escalation or data loss if the application runs with elevated permissions.

Generated by OpenCVE AI on April 18, 2026 at 14:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade malcontent to version 1.20.3 or later, which corrects the argument order and validates symlink locations and targets.
  • Run the scanning process in a restricted environment (e.g., a container or dedicated low‑privilege user) that does not have write access to sensitive system directories, reducing the impact if a symlink slip occurs.
  • Manually verify or automatically check extracted files for symlink paths that resolve outside the intended extraction directory before deployment, ensuring no unauthorized filesystem writes can occur.

Generated by OpenCVE AI on April 18, 2026 at 14:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-923j-vrcg-hxwh malcontent vulnerable to symlink Path Traversal via handleSymlink argument confusion in archive extraction
History

Tue, 24 Feb 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Chainguard
Chainguard malcontent
CPEs cpe:2.3:a:chainguard:malcontent:*:*:*:*:*:*:*:*
Vendors & Products Chainguard
Chainguard malcontent

Fri, 30 Jan 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Chainguard-dev
Chainguard-dev malcontent
Vendors & Products Chainguard-dev
Chainguard-dev malcontent

Thu, 29 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 29 Jan 2026 21:30:00 +0000

Type Values Removed Values Added
Description malcontent discovers supply-chain compromises through. context, differential analysis, and YARA. Starting in version 1.8.0 and prior to version 1.20.3, malcontent could be made to create symlinks outside the intended extraction directory when scanning a specially crafted tar or deb archive. The `handleSymlink` function received arguments in the wrong order, causing the symlink target to be used as the symlink location. Additionally, symlink targets were not validated to ensure they resolved within the extraction directory. Version 1.20.3 introduces fixes that swap handleSymlink arguments, validate symlink location, and validate symlink targets that resolve within an extraction directory.
Title malcontent's archive extraction could write outside extraction directory
Weaknesses CWE-22
CWE-683
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

Subscriptions

Chainguard Malcontent
Chainguard-dev Malcontent
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-29T21:37:29.730Z

Reserved: 2026-01-27T14:51:03.059Z

Link: CVE-2026-24846

cve-icon Vulnrichment

Updated: 2026-01-29T21:37:04.798Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-29T22:15:54.740

Modified: 2026-02-24T19:51:41.880

Link: CVE-2026-24846

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T14:45:03Z

Weaknesses