CVE-2026-40024
Path Traversal in Sleuth Kit tsk_recover Enables Code Execution
Publication date: 2026-04-08
Last updated on: 2026-04-15
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sleuthkit | the_sleuth_kit | to 4.15.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Sleuth Kit's tsk_recover allows an attacker to write files to arbitrary locations outside the intended recovery directory, potentially leading to code execution by overwriting critical system files. This unauthorized file manipulation and potential code execution could result in unauthorized access or modification of sensitive data.
Such unauthorized access and data manipulation could negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require strict controls over data integrity, confidentiality, and system security.
Can you explain this vulnerability to me?
The vulnerability exists in The Sleuth Kit through version 4.14.0, specifically in the tsk_recover tool. It is a path traversal vulnerability that allows an attacker to write files to arbitrary locations outside the intended recovery directory.
This happens because an attacker can craft a malicious filesystem image containing filenames or directory paths with path traversal sequences (such as /../). When tsk_recover processes this image, it writes files outside the designated output directory.
By exploiting this, an attacker could potentially overwrite important files like shell configuration files or cron entries, which might lead to code execution.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized file writes outside the intended directory, which can lead to overwriting critical system files.
Such overwrites could allow an attacker to execute arbitrary code by modifying shell configuration or scheduled tasks (cron entries), potentially compromising the affected system.