Description
malcontent is software for discovering supply-chain compromises through context, differential analysis, and YARA. Prior to version 1.21.0, malcontent would remove nested archives which failed to extract which could potentially leave malicious content. A better approach is to preserve these archives so that malcontent can attempt a best-effort scan of the archive bytes. Version 1.21.0 fixes the issue.
Published: 2026-02-27
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Content omission due to dropped nested archives during scanning
Action: Patch
AI Analysis

Impact

malcontent was designed to detect supply‑chain compromise by scanning archives for malicious patterns. The flaw caused failed extraction of nested archives to be silently removed, preventing those inner files from being examined. The result is that malicious content may pass undetected, reducing the tool’s effectiveness. This weakness is a failure to handle error conditions properly, categorized as CWE‑703.

Affected Systems

The vulnerable software is Chainguard‑Dev Malcontent. All releases before 1.21.0 are affected. Versions 1.21.0 and later include the fix.

Risk and Exploitability

The vulnerability scores a CVSS of 6.9, indicating moderate risk. EPSS is less than 1 %, making exploitation unlikely. The flaw is not listed in the CISA KEV catalog. The attack vector is indirect: an adversary can craft an archive that contains a nested archive that fails to extract; malcontent will drop the content, allowing the malicious payload to evade detection. Because the flaw only causes missing detection and not direct code execution, the impact is limited to ineffective security monitoring rather than an immediate compromise.

Generated by OpenCVE AI on April 16, 2026 at 15:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to version 1.21.0 or newer to apply the fix.
  • Validate that the scanning pipeline preserves or logs any failed nested‑archive extraction so that potentially missed content can be inspected manually.
  • If an upgrade cannot be performed immediately, manually examine the outputs of current scans for undiscovered nested archives and scan those files with a secondary tool to confirm no malicious material.

Generated by OpenCVE AI on April 16, 2026 at 15:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-945p-3jhm-6rcp malcontent: Nested archive extraction failure can drop content from scan inputs
History

Tue, 03 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Chainguard
Chainguard malcontent
CPEs cpe:2.3:a:chainguard:malcontent:*:*:*:*:*:*:*:*
Vendors & Products Chainguard
Chainguard malcontent
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Mon, 02 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Chainguard-dev
Chainguard-dev malcontent
Vendors & Products Chainguard-dev
Chainguard-dev malcontent

Fri, 27 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
Description malcontent is software for discovering supply-chain compromises through context, differential analysis, and YARA. Prior to version 1.21.0, malcontent would remove nested archives which failed to extract which could potentially leave malicious content. A better approach is to preserve these archives so that malcontent can attempt a best-effort scan of the archive bytes. Version 1.21.0 fixes the issue.
Title malcontent's nested archive extraction failure can drop content from scan inputs
Weaknesses CWE-703
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Chainguard Malcontent
Chainguard-dev Malcontent
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-02T22:01:48.514Z

Reserved: 2026-02-27T15:33:57.289Z

Link: CVE-2026-28407

cve-icon Vulnrichment

Updated: 2026-03-02T22:01:44.254Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T22:16:23.680

Modified: 2026-03-03T18:23:37.350

Link: CVE-2026-28407

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T15:15:39Z

Weaknesses