Description
GNU gzip contains a vulnerability in the gzexe utility related to insecure temporary file handling. When the mktemp utility is not available in the user’s PATH, gzexe falls back to constructing a temporary file path based solely on the process ID (PID). This predictable filename is created without exclusive access or existence checks.
A local attacker can pre‑create the predicted temporary file path as a symbolic link pointing to an arbitrary file writable by the victim. When gzexe runs, it follows the symlink and overwrites the target file, resulting in a time‑of‑check to time‑of‑use (TOCTOU) condition that allows arbitrary file overwrite.

This issue has been fixed in the commit 4e6f8b24ab823146ab8776f0b7fe486ab34d4269
Published: 2026-06-29
Score: 2 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

GNU gzip’s gzexe utility uses an insecure method for creating temporary files when the mktemp tool is not found in the system’s PATH: it constructs a file name solely from the current process ID without any exclusive access or existence verification. An attacker who can run commands locally may therefore create a symbolic link at the predicted file name pointing to any file that the victim can write. When gzexe executes, it follows the symlink and overwrites the target file, demonstrating a time‑of‑check to time‑of‑use (TOCTOU) flaw that permits arbitrary file modification. The impact is that confidential or configuration files can be overwritten, potentially facilitating further compromise or denial of service, but the vulnerability requires the attacker to have local execution privileges and the ability to create symbolic links.

Affected Systems

All installations of GNU gzip that include the gzexe utility and do not contain the patch commit 4e6f8b24ab823146ab8776f0b7fe486ab34d4269 are affected. This includes older versions of gzip across Linux, Unix, and other operating systems where the gzexe command is present.

Risk and Exploitability

The CVSS score of 2 indicates low severity, and the EPSS score is not available, suggesting no publicly known exploits at this time. The vulnerability is not listed in CISA’s KEV catalogue, further indicating a low likelihood of widespread exploitation. However, because the attack requires only local access and the ability to create a symbolic link, it is easily exploitable on systems where users have such permissions. The exploit path is straightforward: set up a malicious symlink to a writable target, then run gzexe; the file is overwritten. The risk is mitigated primarily by patching or otherwise preventing access to the vulnerable utility.

Generated by OpenCVE AI on June 29, 2026 at 13:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade gzip to a version that contains patch commit 4e6f8b24ab823146ab8776f0b7fe486ab34d4269.
  • Ensure the mktemp utility is available in the system PATH; if it is missing, install or add it so that gzexe can use the secure temporary‑file creation method.
  • If an upgrade is not immediately possible, restrict or remove access to the gzexe command or delete the temporary‑file handling code, and verify that no symbolic links can be created in the predicted file path.

Generated by OpenCVE AI on June 29, 2026 at 13:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Gnu
Gnu gzip
Vendors & Products Gnu
Gnu gzip

Mon, 29 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 29 Jun 2026 12:00:00 +0000

Type Values Removed Values Added
Description GNU gzip contains a vulnerability in the gzexe utility related to insecure temporary file handling. When the mktemp utility is not available in the user’s PATH, gzexe falls back to constructing a temporary file path based solely on the process ID (PID). This predictable filename is created without exclusive access or existence checks. A local attacker can pre‑create the predicted temporary file path as a symbolic link pointing to an arbitrary file writable by the victim. When gzexe runs, it follows the symlink and overwrites the target file, resulting in a time‑of‑check to time‑of‑use (TOCTOU) condition that allows arbitrary file overwrite. This issue has been fixed in the commit 4e6f8b24ab823146ab8776f0b7fe486ab34d4269
Title Predictable Temporary File in GNU gzip
Weaknesses CWE-377
References
Metrics cvssV4_0

{'score': 2, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Gnu Gzip
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-06-29T13:31:46.581Z

Reserved: 2026-04-23T08:06:09.511Z

Link: CVE-2026-41991

cve-icon Vulnrichment

Updated: 2026-06-29T13:31:40.967Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T18:00:05Z

Weaknesses