Impact
The flaw in electron-updater allows an attacker to inject an empty component into the LD_LIBRARY_PATH environment variable at runtime of an AppImage built by app-builder-lib. This results in the current working directory being added to the dynamic linker search path, giving the attacker the ability to place a malicious shared library next to the AppImage and cause the application to load and execute that code. The weakness is reflected by CWE‑427 and can lead to arbitrary code execution with the privileges of the AppImage process.
Affected Systems
The issue affects users of electron-userland:app-builder-lib and electron-builder that build AppImage targets before version 26.15.0. The vulnerability is specific to AppImage builds produced by app-builder-lib; all later releases from 26.15.0 onward are considered fixed.
Risk and Exploitability
The CVSS score of 7.8 reflects a high severity potential for remote code execution. Although EPSS data is not available, the lack of listing in the CISA KEV catalog suggests no publicly known exploits at this time. The attack requires the ability to place a malicious shared library in the directory from which an AppImage is launched or influence the LD_LIBRARY_PATH environment variable, which typically means a local adversary or one who can control the launch directory. Consequently, the risk is significant for installations that run untrusted AppImages from writable locations.
OpenCVE Enrichment