Description
AGL app-framework-main thru 17.1.12 contains a Zip Slip path traversal vulnerability (CWE-22) combined with a TOCTOU race condition (CWE-367) in the widget installation flow. The is_valid_filename function in wgtpkg-zip.c validates ZIP entry names but does not check for dot notation directory traversal sequences it only blocks absolute paths. The zread extraction function uses openat(workdirfd, filename, O_CREAT) which resolves dot notation values relative to the work directory, allowing files to be written anywhere on the filesystem. Critically, in function install_widget in file wgtpkg-install.c, extraction via zread occurs BEFORE signature verification via check_all_signatures. Even if signature verification fails, the error cleanup (remove_workdir) only deletes the temporary work directory files written outside via path traversal persist permanently.
Published: 2026-05-01
Score: 9.8 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Automotive Linux’s app‑framework‑main allows a malicious ZIP archive to cause files to be written anywhere on the filesystem. The is_valid_filename check ignores dot‑notation traversal while the subsequent extraction uses openat with the working directory, enabling an attacker to overwrite critical system files. Because extraction occurs before signature verification, a malformed archive can persistently place arbitrary data even if the manifest later fails integrity checks.

Affected Systems

The vulnerability affects the Automotive Linux app‑framework‑main component, specifically versions up to and including 17.1.12. Devices running these releases may expose a widget installation interface to potentially untrusted archives.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical severity; the exploit probability metric is not available, but the absence from CISA’s KEV list does not mitigate the risk. An attacker could supply a crafted widget package locally or via an exposed distribution channel. The race condition uncovered by the TOCTOU flaw permits the malicious file to survive signature verification failures, granting an attacker persistent write access on the target system.

Generated by OpenCVE AI on May 2, 2026 at 07:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a release of Automotive Linux app‑framework‑main that corrects the ZIP extraction logic and enforces signature verification before any file is written.
  • Configure the widget installation process to run inside a restricted environment, such as a chroot or container, that limits the writable paths to a dedicated workspace and prevents traversal to system directories.
  • Disable the widget installation mechanism on devices where it is not required, or enforce strict validation that only accepts fully signed packages and rejects any archive that fails immediate signature checks before extraction.

Generated by OpenCVE AI on May 2, 2026 at 07:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 08:15:00 +0000

Type Values Removed Values Added
Title Archive Extraction Path Traversal with TOCTOU in Automotive Linux Widget Installation

Fri, 01 May 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-22
CWE-367
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 01 May 2026 16:45:00 +0000

Type Values Removed Values Added
Description AGL app-framework-main thru 17.1.12 contains a Zip Slip path traversal vulnerability (CWE-22) combined with a TOCTOU race condition (CWE-367) in the widget installation flow. The is_valid_filename function in wgtpkg-zip.c validates ZIP entry names but does not check for dot notation directory traversal sequences it only blocks absolute paths. The zread extraction function uses openat(workdirfd, filename, O_CREAT) which resolves dot notation values relative to the work directory, allowing files to be written anywhere on the filesystem. Critically, in function install_widget in file wgtpkg-install.c, extraction via zread occurs BEFORE signature verification via check_all_signatures. Even if signature verification fails, the error cleanup (remove_workdir) only deletes the temporary work directory files written outside via path traversal persist permanently.
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:N/S:U/UI:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-01T19:45:23.782Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-37531

cve-icon Vulnrichment

Updated: 2026-05-01T19:34:26.617Z

cve-icon NVD

Status : Received

Published: 2026-05-01T17:16:22.720

Modified: 2026-05-01T20:16:22.657

Link: CVE-2026-37531

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T08:00:14Z

Weaknesses