Description
A command injection vulnerability was discovered in the `rpmuncompress` utility of RPM. When extracting certain archive formats (ZIP, 7z, GEM) to a specified destination directory, the tool inserts the archive's top-level folder name into a shell command without properly sanitizing it. A specially crafted archive containing shell metacharacters in its folder name can execute arbitrary commands as the user running the extraction.
Published: 2026-05-28
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A command injection vulnerability was found in the rpm utility rpmuncompress. When an archive that includes a top‑level directory name containing shell metacharacters is extracted, the tool concatenates that directory name into a shell command without sanitization. This allows an attacker to execute arbitrary commands as the user running rpmuncompress, permitting uncontrolled code execution and potentially leading to local privilege escalation, data modification, or system compromise.

Affected Systems

The vulnerability affects a wide range of Red Hat products. The RPMS binaries are present in Red Hat Enterprise Linux releases 6, 7, 8, 9, and 10, as well as in Red Hat OpenShift Container Platform 4, Red Hat Satellite 6, the Red Hat Pen Drive Powered by Red Hat Lightspeed product, Red Hat Hardened Images, and the Red Hat build of the Quarkus Native builder. All affected instances of rpmuncompress are susceptible; no specific version ranges are listed in the current data.

Risk and Exploitability

With a CVSS base score of 7, the vulnerability is considered high severity. Exploitation requires an attacker to supply a malicious archive to rpmuncompress and execute the command, so the attack vector is primarily local or requires initial compromise of an account with rights to run the utility. EPSS data is not available, and the vulnerability is not listed in CISA’s KEV catalog, but the lack of a public patch at the time of this report increases the attacker's opportunity to exploit the flaw in unpatched environments.

Generated by OpenCVE AI on May 28, 2026 at 08:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the most recent RPM security update that contains the fix for rpmuncompress command injection.
  • Disallow the use of rpmuncompress for untrusted archives by removing the binary from the PATH for non‑privileged users or by configuring strict sudo permissions so the tool can only run under limited, reviewed contexts.
  • If a quick patch is not yet available, perform archive extraction using a tool that does not invoke a shell, or validate the top‑level directory name before extraction to ensure it contains no shell metacharacters.

Generated by OpenCVE AI on May 28, 2026 at 08:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 30 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat hardened Images
Redhat openshift Container Platform
Vendors & Products Redhat hardened Images
Redhat openshift Container Platform

Thu, 28 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 28 May 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 28 May 2026 07:30:00 +0000

Type Values Removed Values Added
Description A command injection vulnerability was discovered in the `rpmuncompress` utility of RPM. When extracting certain archive formats (ZIP, 7z, GEM) to a specified destination directory, the tool inserts the archive's top-level folder name into a shell command without properly sanitizing it. A specially crafted archive containing shell metacharacters in its folder name can execute arbitrary commands as the user running the extraction.
Title Rpm: command injection in rpmuncompress dountar() via unescaped archive top-level directory name in popen() shell command
First Time appeared Redhat
Redhat enterprise Linux
Redhat hummingbird
Redhat openshift
Redhat pdrive Lightspeed
Redhat quarkus
Redhat satellite
Weaknesses CWE-78
CPEs cpe:/a:redhat:hummingbird:1
cpe:/a:redhat:openshift:4
cpe:/a:redhat:pdrive_lightspeed:0
cpe:/a:redhat:quarkus:3
cpe:/a:redhat:satellite:6
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
Redhat hummingbird
Redhat openshift
Redhat pdrive Lightspeed
Redhat quarkus
Redhat satellite
References
Metrics cvssV3_1

{'score': 7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Redhat Enterprise Linux Hardened Images Hummingbird Openshift Openshift Container Platform Pdrive Lightspeed Quarkus Satellite
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-05-28T12:15:33.073Z

Reserved: 2026-05-07T03:57:03.811Z

Link: CVE-2026-44604

cve-icon Vulnrichment

Updated: 2026-05-28T12:15:20.380Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-28T08:16:35.280

Modified: 2026-05-28T13:44:54.327

Link: CVE-2026-44604

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-28T05:52:00Z

Links: CVE-2026-44604 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T21:19:20Z

Weaknesses