CVE-2026-40556
Insecure Directory Permissions in GNU nano Allow Local Attackers
Publication date: 2026-04-28
Last updated on: 2026-04-29
Assigner: CERT.PL
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gnu | nano | 9.0 |
| gnu | nano | From 2.9.1 (inc) to 9.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-732 | The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in GNU nano occurs because it creates the user's ~/.local directory with overly permissive permissions (mode 0777) when the directory does not exist yet. This means the directory is world-writable in environments where the process umask does not sufficiently restrict permissions, such as container environments, CI/CD runners, embedded systems, or user shells configured with umask 000.
A local attacker can exploit a race condition between the creation of the ~/.local directory and the subsequent creation of more restrictive subdirectories to write attacker-controlled files into the victimβs XDG directory hierarchy.
This issue was fixed in GNU nano version 9.0 by changing the directory permissions to be user-only, preventing group and others from accessing the directory.
How can this vulnerability impact me? :
If your system or environment has a relaxed or zero umask setting, this vulnerability can allow a local attacker to write malicious or attacker-controlled files into your ~/.local directory hierarchy.
This can lead to unauthorized modification or insertion of files within your user data directories, potentially compromising the integrity and security of your user environment.
Such an attack is possible because the ~/.local directory is created as world-writable before more restrictive subdirectories are created, opening a race window for exploitation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking the permissions of the ~/.local directory created by GNU nano. If the directory has overly permissive permissions (world-writable, mode 0777), especially in environments with a relaxed or zero umask, it indicates the presence of the vulnerability.
You can use the following command to check the permissions of the ~/.local directory:
- ls -ld ~/.local
If the output shows permissions like drwxrwxrwx (mode 0777), the directory is world-writable and vulnerable.
Additionally, checking the umask setting in your environment can help identify if the system is prone to this issue. Use:
- umask
A umask of 000 or similarly permissive values increases the risk of this vulnerability being exploitable.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade GNU nano to version 9.0 or later, where this vulnerability has been fixed by restricting the permissions of the ~/.local directory to user-only access.
If upgrading is not immediately possible, you should manually correct the permissions of the ~/.local directory to remove world-writable access by running:
- chmod 700 ~/.local
Also, review and adjust the system or user umask settings to ensure they are not overly permissive (avoid umask 000). A more restrictive umask such as 022 or 027 is recommended.
- umask 022
These steps reduce the risk of local attackers exploiting the race condition to insert malicious files into the XDG directory hierarchy.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in GNU nano causes the ~/.local directory to be created with overly permissive, world-writable permissions in certain environments. This can allow a local attacker to write malicious files into the victim's XDG directory hierarchy.
Such insecure permissions and potential unauthorized file modifications could lead to violations of security best practices required by common standards and regulations like GDPR and HIPAA, which mandate protection of user data and system integrity.
Specifically, the risk of unauthorized access or modification of user data due to improper directory permissions may impact compliance with data protection and privacy requirements, increasing the likelihood of data breaches or unauthorized data manipulation.
The issue was fixed in GNU nano version 9.0 by restricting directory permissions to user-only access, thereby mitigating this compliance risk.