CVE-2026-41991
Received Received - Intake

Insecure Temporary File Handling in GNU gzip gzexe Utility

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: CERT.PL

Description
GNU gzip contains a vulnerability in the gzexe utility related to insecure temporary file handling. When the mktemp utility is not available in the user’s PATH, gzexe falls back to constructing a temporary file path based solely on the process ID (PID). This predictable filename is created without exclusive access or existence checks. A local attacker can pre‑create the predicted temporary file path as a symbolic link pointing to an arbitrary file writable by the victim. When gzexe runs, it follows the symlink and overwrites the target file, resulting in a time‑of‑check to time‑of‑use (TOCTOU) condition that allows arbitrary file overwrite. This issue has been fixed in the commit 4e6f8b24ab823146ab8776f0b7fe486ab34d4269

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-29
Last Modified
2026-06-29
Generated
2026-06-29
AI Q&A
2026-06-29
EPSS Evaluated
N/A
NVD
CVE-2026-41991
EUVD
EUVD-2026-40068

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
gnu gzip to 4e6f8b24ab823146ab8776f0b7fe486ab34d4269 (inc)
gnu gzip to 3.0.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-377 Creating and using insecure temporary files can leave application and system data vulnerable to attack.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability exists in the GNU gzip utility called gzexe, which handles temporary files insecurely when the mktemp utility is not available in the user's PATH.

In this case, gzexe creates a temporary file path based only on the process ID (PID), which is predictable and lacks exclusive access or existence checks.

A local attacker can exploit this by pre-creating the predicted temporary file path as a symbolic link to an arbitrary file writable by the victim.

When gzexe runs, it follows the symlink and overwrites the target file, causing a time-of-check to time-of-use (TOCTOU) race condition that allows arbitrary file overwrite.

Impact Analysis

This vulnerability allows a local attacker to overwrite arbitrary files by exploiting the predictable temporary file naming and symbolic link manipulation.

Such arbitrary file overwrite can lead to unauthorized modification or corruption of files, potentially causing system instability, data loss, or privilege escalation depending on which files are overwritten.

Detection Guidance

This vulnerability involves the gzexe utility in GNU gzip creating temporary files insecurely when the mktemp utility is not available in the user's PATH. Detection would involve checking if mktemp is missing and if gzexe is using a fallback method that creates predictable temporary filenames based on the process ID.

You can check if mktemp is available by running the command: `which mktemp` or `command -v mktemp`. If mktemp is not found, the system might be vulnerable if it uses an unpatched version of gzexe.

To verify the version or patch status of gzip, you can check the installed gzip version or inspect the gzexe script for the presence of the safe fallback method (using umask 77 and set -C). For example, you might run: `gzip --version` or inspect the gzexe script source.

Since the vulnerability is local and related to file creation race conditions, network detection is not applicable.

Mitigation Strategies

The immediate mitigation step is to update GNU gzip to a version that includes the fix from commit 4e6f8b24ab823146ab8776f0b7fe486ab34d4269.

This fix ensures that temporary files are created safely by using a combination of umask 77 and set -C to prevent overwriting existing files, even when mktemp is unavailable.

If updating is not immediately possible, ensure that the mktemp utility is available in the PATH to avoid the insecure fallback method.

Additionally, restrict local user permissions to prevent untrusted users from creating symbolic links or files in directories where gzexe creates temporary files.

Compliance Impact

The provided context and resources do not include information about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41991. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart