CVE-2026-1386
📋 TL;DR
A UNIX symbolic link following vulnerability in Firecracker's jailer component allows local host users with write access to pre-created jailer directories to overwrite arbitrary host files during jailer startup. This affects Firecracker versions v1.13.1 and earlier, and v1.14.0 on Linux systems when the jailer runs with root privileges.
💻 Affected Systems
- Firecracker
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via arbitrary file overwrite leading to privilege escalation, service disruption, or data destruction.
Likely Case
Local privilege escalation allowing attackers to modify system files, install backdoors, or access sensitive data.
If Mitigated
Limited impact if proper access controls restrict write access to jailer directories and jailer runs with minimal privileges.
🎯 Exploit Status
Requires local access, write permissions to jailer directories, and understanding of symlink attacks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v1.13.2 or v1.14.1
Vendor Advisory: https://github.com/firecracker-microvm/firecracker/security/advisories/GHSA-36j2-f825-qvgc
Restart Required: Yes
Instructions:
1. Stop all Firecracker instances. 2. Upgrade to v1.13.2 or v1.14.1 using package manager or manual download. 3. Restart Firecracker services.
🔧 Temporary Workarounds
Restrict directory permissions
linuxLimit write access to pre-created jailer directories to trusted users only
chmod 750 /path/to/jailer/directories
chown root:trusted_group /path/to/jailer/directories
Run jailer without root
linuxConfigure jailer to run with minimal necessary privileges instead of root
🧯 If You Can't Patch
- Implement strict access controls on jailer directories (chmod 750, appropriate ownership)
- Audit and monitor all users with write access to jailer directories
🔍 How to Verify
Check if Vulnerable:
Check Firecracker version: firecracker --version. If version is v1.13.1 or earlier, or exactly v1.14.0, system is vulnerable.Check Version:
firecracker --versionVerify Fix Applied:
Confirm version is v1.13.2 or v1.14.1 or later: firecracker --version📡 Detection & Monitoring
Log Indicators:
- Unusual file modification patterns in jailer directories
- Symlink creation in jailer directories
- Failed privilege escalation attempts
Network Indicators:
- None - this is a local attack
SIEM Query:
search 'symlink' AND 'jailer' OR 'firecracker' in system logs