CVE-2026-24846 – This vulnerability in malcontent allows attacke... (How to Fix)

Q: What is the severity of CVE-2026-24846?

CVE-2026-24846 has a CVSS score of 5.5 (MEDIUM). This vulnerability in malcontent allows attackers to create symbolic links outside the intended extraction directory when scanning specially crafted tar or deb archives. The bug occurs due to argument order reversal in the handleSymlink function and lack of symlink target validation. Users of malcontent versions 1.8.0 through 1.20.2 are affected.

📋 TL;DR

This vulnerability in malcontent allows attackers to create symbolic links outside the intended extraction directory when scanning specially crafted tar or deb archives. The bug occurs due to argument order reversal in the handleSymlink function and lack of symlink target validation. Users of malcontent versions 1.8.0 through 1.20.2 are affected.

💻 Affected Systems

Products:

malcontent

Versions: 1.8.0 through 1.20.2

Operating Systems: Linux, Unix-like systems

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability triggers when scanning malicious tar or deb archives. The tool must be actively used for vulnerability to be exploitable.

📦 What is this software?

Malcontent by Chainguard

View all CVEs affecting Malcontent →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could create symlinks to sensitive system files, potentially leading to arbitrary file read/write, privilege escalation, or system compromise if malcontent runs with elevated privileges.

🟠

Likely Case

Local file system manipulation allowing unauthorized access to files outside the extraction directory, potentially exposing sensitive data or enabling further attacks.

🟢

If Mitigated

Limited impact if malcontent runs with minimal privileges and only processes trusted archives from controlled sources.

🌐 Internet-Facing: LOW - malcontent is typically used for local supply chain analysis rather than as an internet-facing service.

🏢 Internal Only: MEDIUM - The tool is used internally for security analysis, so exploitation could compromise the security scanning infrastructure itself.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires crafting a malicious archive and convincing a user to scan it. No public exploits have been reported as of the advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.20.3

Vendor Advisory: https://github.com/chainguard-dev/malcontent/security/advisories/GHSA-923j-vrcg-hxwh

Restart Required: No

Instructions:

1. Update malcontent to version 1.20.3 or later using your package manager. 2. If building from source, pull the latest commit from GitHub. 3. Verify the fix by checking the version.

🔧 Temporary Workarounds

Restrict archive sources

all

Only scan archives from trusted, verified sources to prevent exploitation.

Run with minimal privileges

linux

Execute malcontent with non-root privileges to limit potential damage from symlink attacks.

sudo -u nonprivilegeduser malcontent [options]

🧯 If You Can't Patch

Discontinue use of malcontent for scanning untrusted archives
Implement strict access controls on directories malcontent can access

🔍 How to Verify

Check if Vulnerable:

Check malcontent version: malcontent --version. If version is between 1.8.0 and 1.20.2 inclusive, the system is vulnerable.

Check Version:

malcontent --version

Verify Fix Applied:

After updating, run malcontent --version and confirm version is 1.20.3 or higher.

📡 Detection & Monitoring

Log Indicators:

Unusual symlink creation during archive scanning
Permission errors when accessing files outside expected directories

Network Indicators:

N/A - local vulnerability

SIEM Query:

process.name="malcontent" AND file.path contains "symlink" AND file.path contains ".."

📊 Metadata

CVE ID: CVE-2026-24846

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CWE: CWE-22

EPSS Score: 0.01% exploit probability (0.2th percentile)

Published: January 29, 2026

Last Updated: February 24, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-24846, you might also want to check these: