CVE-2026-20613
BaseFortify
Publication date: 2026-01-23
Last updated on: 2026-01-27
Assigner: Apple Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apple | container | to 0.8.0 (exc) |
| apple | containerization | to 0.21.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs in the ArchiveReader.extractContents() function used by the cctl image load command in Apple's containerization project. The function does not validate the pathnames of files inside an archive before extracting them. As a result, a maliciously crafted archive can use relative path traversal (like "../../../../tmp/pwned.txt") to extract files outside the intended directory into any user-writable location on the system. This can lead to unauthorized files being written to arbitrary locations. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA. The vulnerability allows writing files to arbitrary user-writable locations but does not involve privilege escalation or direct data breaches. Therefore, any compliance impact would depend on the specific use case and environment, which is not detailed here. [1]
How can this vulnerability impact me? :
The impact of this vulnerability is that an attacker can write files to any location on the filesystem where the user has write permissions by crafting a malicious archive. However, it does not allow privilege escalation or writing to locations without user write access. The severity is considered low, but it could be used to place unwanted or malicious files in arbitrary user-writable directories. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your system is using vulnerable versions of the Apple containerization packages (Swift package versions β€0.7.1 and containerization versions β€0.20.1). Additionally, you can monitor for unexpected files created outside of intended extraction directories, especially files with relative path traversal patterns like '../../../../../../tmp/pwned.txt'. A practical approach is to inspect archives before extraction for pathnames containing '../' sequences. While no specific detection commands are provided, you can use commands like 'tar -tf <archive>' to list archive contents and look for suspicious relative paths. Also, monitoring filesystem changes in user-writable directories after running 'cctl image load' may help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, upgrade the Apple containerization packages to versions 0.8.0 or later for the Swift container package and 0.21.0 or later for the containerization project, where the issue is patched. Avoid loading untrusted or maliciously crafted archives using 'cctl image load' until the update is applied. Additionally, restrict user permissions to limit writable locations and monitor extraction operations for suspicious activity. [1]