CVE-2026-44604
Command Injection in RPM rpmuncompress Utility
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | rpm | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-44604 is a command injection vulnerability in the RPM package manager's `rpmuncompress` utility. It occurs when extracting certain archive formats such as ZIP, 7z, and GEM to a specified directory. The tool inserts the archive's top-level folder name into a shell command without properly escaping single quotes or other shell metacharacters.
If an attacker crafts an archive with a top-level directory name containing malicious shell commands (using single quotes to break out of the intended command), these commands can be executed with the permissions of the user running the extraction.
This vulnerability specifically affects the `singleRoot()` path in the `rpmuncompress` tool and arises from using `popen()` to run shell commands without sanitizing input. The issue does not affect common tar extraction methods.
How can this vulnerability impact me? :
This vulnerability allows an attacker to execute arbitrary commands on the system with the same privileges as the user running the `rpmuncompress` extraction process.
- Arbitrary code execution can lead to data theft.
- It can allow unauthorized modification or deletion of files.
- It can disrupt build workflows, especially those using RPM source-preparation workflows like `%setup/%autosetup -C`.
Because exploitation requires local access and user interaction (due to UI:R in CVSS), the risk is primarily to users who extract untrusted archives.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying usage of the vulnerable `rpmuncompress` utility when extracting certain archive formats (ZIP, 7z, GEM) with the `-x -C` options. Specifically, look for extraction commands that process archives containing top-level directory names with suspicious characters such as single quotes or shell metacharacters.
You can check for running or recent extraction commands using `rpmuncompress` with the following example command to find suspicious archive extractions in logs or shell history:
- grep -E 'rpmuncompress.*-x.*-C' ~/.bash_history /var/log/*
Additionally, scanning for archives with potentially malicious top-level directory names can be done by inspecting archive contents before extraction. For example, to list the top-level directory name in a ZIP archive:
- unzip -l archive.zip | head -n 2
Look for directory names containing single quotes or shell metacharacters that could be used for command injection.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, avoid using the vulnerable `rpmuncompress` tool to extract archives with untrusted or potentially malicious top-level directory names.
If extraction is necessary, ensure that archives are from trusted sources and do not contain shell metacharacters in their top-level directory names.
Apply any available patches or updates from your RPM package manager vendor that address this vulnerability by properly escaping single quotes or by removing shell command composition in the extraction process.
As a longer-term mitigation, consider using alternative extraction methods or tools that do not rely on shell command composition, such as direct filesystem API calls.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows arbitrary code execution with the permissions of the user running the extraction process. This can lead to data theft, file modification, or disruption of workflows.
Such unauthorized access and potential data compromise could negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding sensitive data and maintaining system integrity.
However, the vulnerability requires local access and user interaction to exploit, which may limit exposure depending on the environment and controls in place.