CVE-2026-40024 - Vulnerability Details

- Sleuth Kit tsk_recover Path Traversal

Description

The Sleuth Kit through 4.14.0 contains a path traversal vulnerability in tsk_recover that allows an attacker to write files to arbitrary locations outside the intended recovery directory via crafted filenames or directory paths with path traversal sequences in a filesystem image. An attacker can craft a malicious filesystem image with embedded /../ sequences in filenames that, when processed by tsk_recover, writes files outside the output directory, potentially achieving code execution by overwriting shell configuration or cron entries.

Published: 2026-04-08

Score: 8.4 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a pathname traversal flaw in the tsk_recover utility of Sleuth Kit. By providing filenames that contain path‑traversal sequences such as /../ within a filesystem image, the tool writes recovered files to locations outside the intended output directory. This allows an attacker to overwrite arbitrary files, potentially replacing shell configuration files or cron entries and thereby enabling arbitrary code execution.

Affected Systems

The flaw affects all releases of Sleuth Kit up to and including version 4.14.0. The vulnerable component is found in the Sleuth Kit project maintained by sleuthkit. Administrators using any distribution of tsk_recover within that version range should consider their installations vulnerable.

Risk and Exploitability

The CVSS score of 8.4 indicates high severity, and the EPSS score below 1% suggests a low likelihood of exploitation in the wild. It is not currently listed in the CISA KEV catalog. Based on the description, the attack requires an attacker to supply a crafted filesystem image to tsk_recover and must run the utility with sufficient permissions to write to the target directory; thus the attack vector is local, though it could be abused in a remote context if the tool is invoked by an untrusted user or process.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

sleuthkit

unaffected

Version	Status	Constraints
`0`	affected	≤ 4.14.0
`a3f96b3bc36a8bb1a00c297f77110d4a6e7dd31b`	unaffected	—

Configuration 1 [-]

cpe:2.3:a:sleuthkit:the_sleuth_kit:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Sleuthkit

The Sleuth Kit

88%

Version	Status	Scheme	Platform
`[0,4.14.0]`	affected	generic	—
`a3f96b3bc36a8bb1a00c297f77110d4a6e7dd31b`	unaffected	code_commit	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Sleuth Kit to version 4.14.1 or newer.
If an upgrade is not immediately possible, limit access to tsk_recover to trusted users only.
Verify that output directories are owned by a non‑privileged account and cannot be written to by untrusted processes.
Consider processing suspect filesystem images in a sandboxed environment to prevent accidental overwrites.

Generated by OpenCVE AI on April 13, 2026 at 21:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Local

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00038.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/sleuthkit/sleuthkit/commit/a3f96b3bc36a8bb1a00c297f77110d4a6e7dd31b
https://mobasi.ai/sentinel
https://nvd.nist.gov/vuln/detail/CVE-2026-40024
https://www.cve.org/CVERecord?id=CVE-2026-40024
https://www.vulncheck.com/advisories/sleuth-kit-tsk-recover-path-traversal

History

Tue, 14 Apr 2026 12:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-40024 https://www.cve.org/CVERecord?id=CVE-2026-40024
Metrics	threat_severity `None`	threat_severity `Important`

Mon, 13 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:sleuthkit:the_sleuth_kit::::::::

Thu, 09 Apr 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 09 Apr 2026 08:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sleuthkit Sleuthkit the Sleuth Kit
Vendors & Products		Sleuthkit Sleuthkit the Sleuth Kit

Wed, 08 Apr 2026 21:45:00 +0000

Type	Values Removed	Values Added
Description		The Sleuth Kit through 4.14.0 contains a path traversal vulnerability in tsk_recover that allows an attacker to write files to arbitrary locations outside the intended recovery directory via crafted filenames or directory paths with path traversal sequences in a filesystem image. An attacker can craft a malicious filesystem image with embedded /../ sequences in filenames that, when processed by tsk_recover, writes files outside the output directory, potentially achieving code execution by overwriting shell configuration or cron entries.
Title		Sleuth Kit tsk_recover Path Traversal
Weaknesses		CWE-22
References		https://github.com/sleuthkit/sleuthkit/commit/a3f96b3bc36a8bb1a00c297f77110d4a6e7dd31b https://mobasi.ai/sentinel https://www.vulncheck.com/advisories/sleuth-kit-tsk-recover-path-traversal
Metrics		cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}` cvssV4_0 `{'score': 8.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}`

Subscriptions

Sleuthkit The Sleuth Kit

MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2026-04-08T21:35:20.662Z

Updated: 2026-04-09T18:13:37.338Z

Reserved: 2026-04-08T13:35:50.657Z

Link: CVE-2026-40024

Vulnrichment

Updated: 2026-04-09T18:13:20.720Z

NVD

Status : Analyzed

Published: 2026-04-08T22:16:22.430

Modified: 2026-04-15T20:52:44.537

Link: CVE-2026-40024

Redhat

Severity : Important

Publid Date: 2026-04-08T21:35:20Z

Links: CVE-2026-40024 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-14T16:37:03Z

Weaknesses

CWE-22

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object