CVE-2026-21436
Directory Traversal in eopkg Allows Malicious Package File Escape
Publication date: 2026-01-01
Last updated on: 2026-03-04
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| getsol | eopkg | to 4.4.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-24 | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "../" sequences that can resolve to a location that is outside of that directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-21436 is a path traversal vulnerability in the eopkg package manager used by the Solus Linux distribution. In versions prior to 4.4.0, a malicious package could include files with crafted paths containing directory traversal sequences (like '../') that allow these files to escape the directory specified by the --destdir option during installation. This means files could be installed outside the intended directory on the host system. The vulnerability requires installing a package from a malicious or compromised source, with high privileges and user interaction. The issue was fixed by normalizing file paths during package extraction to remove relative components and ignoring files not listed in the package database, preventing malicious files from escaping the intended directory. [1, 2, 4]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing a malicious package to install files outside the intended directory, potentially overwriting or adding files in arbitrary locations on your system. This can compromise the integrity and availability of your system by introducing unauthorized or malicious files. However, it does not impact confidentiality. Exploitation requires installing a package from a malicious or compromised source, high privileges, and user interaction. Users who only install packages from the official Solus repositories are not affected. [2, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of files installed outside the intended directory specified by the --destdir option during package installation with eopkg versions prior to 4.4.0. Since the issue involves path traversal via '../' sequences in package file paths, you can look for unexpected files or directories created outside the expected installation path after installing packages from untrusted sources. There are no specific commands provided in the resources, but monitoring file system changes during package installation and verifying that files are only installed within the intended directory can help detect exploitation attempts. [2, 4]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately upgrade the eopkg package manager to version 4.4.0 or later, where the path traversal issue has been fixed by normalizing file paths and ignoring malicious files during extraction. Avoid installing packages from untrusted or compromised sources, as exploitation requires installing a malicious package. It is also recommended to use Flatpak for third-party software to reduce risk. Additionally, ensure that the --destdir flag is not relied upon as a security boundary since it does not sandbox installations. [2, 3, 4]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.