Compliance Impact

The vulnerability allows arbitrary code execution with the permissions of the user running the extraction process. This can lead to data theft, file modification, or disruption of workflows.

Such unauthorized access and potential data compromise could negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding sensitive data and maintaining system integrity.

However, the vulnerability requires local access and user interaction to exploit, which may limit exposure depending on the environment and controls in place.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-44604 is a command injection vulnerability in the RPM package manager's `rpmuncompress` utility. It occurs when extracting certain archive formats such as ZIP, 7z, and GEM to a specified directory. The tool inserts the archive's top-level folder name into a shell command without properly escaping single quotes or other shell metacharacters.

If an attacker crafts an archive with a top-level directory name containing malicious shell commands (using single quotes to break out of the intended command), these commands can be executed with the permissions of the user running the extraction.

This vulnerability specifically affects the `singleRoot()` path in the `rpmuncompress` tool and arises from using `popen()` to run shell commands without sanitizing input. The issue does not affect common tar extraction methods.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker to execute arbitrary commands on the system with the same privileges as the user running the `rpmuncompress` extraction process.

• Arbitrary code execution can lead to data theft.
• It can allow unauthorized modification or deletion of files.
• It can disrupt build workflows, especially those using RPM source-preparation workflows like `%setup/%autosetup -C`.

Because exploitation requires local access and user interaction (due to UI:R in CVSS), the risk is primarily to users who extract untrusted archives.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by identifying usage of the vulnerable `rpmuncompress` utility when extracting certain archive formats (ZIP, 7z, GEM) with the `-x -C` options. Specifically, look for extraction commands that process archives containing top-level directory names with suspicious characters such as single quotes or shell metacharacters.

You can check for running or recent extraction commands using `rpmuncompress` with the following example command to find suspicious archive extractions in logs or shell history:

• grep -E 'rpmuncompress.*-x.*-C' ~/.bash_history /var/log/*

Additionally, scanning for archives with potentially malicious top-level directory names can be done by inspecting archive contents before extraction. For example, to list the top-level directory name in a ZIP archive:

• unzip -l archive.zip | head -n 2

Look for directory names containing single quotes or shell metacharacters that could be used for command injection.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability immediately, avoid using the vulnerable `rpmuncompress` tool to extract archives with untrusted or potentially malicious top-level directory names.

If extraction is necessary, ensure that archives are from trusted sources and do not contain shell metacharacters in their top-level directory names.

Apply any available patches or updates from your RPM package manager vendor that address this vulnerability by properly escaping single quotes or by removing shell command composition in the extraction process.

As a longer-term mitigation, consider using alternative extraction methods or tools that do not rely on shell command composition, such as direct filesystem API calls.

Useful 0 Not Useful 0