CVE-2026-44604 | THREATINT

Description

A command injection vulnerability was discovered in the `rpmuncompress` utility of RPM. When extracting certain archive formats (ZIP, 7z, GEM) to a specified destination directory, the tool inserts the archive's top-level folder name into a shell command without properly sanitizing it. A specially crafted archive containing shell metacharacters in its folder name can execute arbitrary commands as the user running the extraction.

PUBLISHED Reserved 2026-05-07 | Published 2026-05-28 | Updated 2026-05-28 | Assigner redhat

HIGH: 7.0CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Problem types

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status

unknown

Default status

unknown

Default status

unknown

Default status

unknown

Default status

unknown

Default status

unknown

Default status

unknown

Default status

unknown

Default status

unknown

Default status

unknown

Default status

unknown

Default status

unknown

Default status

unknown

Default status

unknown

Timeline

2026-04-23:	Reported to Red Hat.
2026-05-28:	Made public.

References

access.redhat.com/security/cve/CVE-2026-44604 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2460967 (RHBZ#2460967) issue-tracking

cve.org (CVE-2026-44604)

nvd.nist.gov (CVE-2026-44604)

Download JSON