CVE-2026-46388
Received Received - Intake

osquery File Carve Privilege Escalation Vulnerability

Vulnerability report for CVE-2026-46388, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. Prior to 5.23.1, an unprivileged attacker can read the contents of an osquery file carve until the carve completes and the temporary files are deleted because in-progress carve directories are not created with private permissions. If the carve targets a directory that the attacker controls, arbitrary file reads are possible, such as sensitive local files. This issue is fixed in version 5.23.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
osquery osquery 5.23.1
osquery osquery to 5.23.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-279 While it is executing, the product sets the permissions of an object in a way that violates the intended permissions that have been specified by the user.
CWE-378 Opening temporary files without appropriate measures or controls can leave the file, its contents and any function that it impacts vulnerable to attack.
CWE-379 The product creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-46388 is a vulnerability in osquery, a SQL-powered operating system instrumentation and monitoring framework. Before version 5.23.1, an unprivileged attacker could read the contents of an in-progress file carve because the temporary directories used during carving were not created with private permissions. This meant that if the carve targeted a directory controlled by the attacker, they could read arbitrary sensitive files on the system.

The root cause was a race condition where carve directories were briefly world-readable or writable before permissions were tightened. The issue was fixed by introducing a new cross-platform API that creates directories with owner-only permissions from the moment of creation, preventing unauthorized access during the carve process.

Impact Analysis

This vulnerability allows an unprivileged local attacker to read sensitive files on the system by accessing temporary carve directories before they are deleted. This can lead to exposure of confidential information such as password files (e.g., /etc/shadow) or other sensitive local files.

The attack requires local access, has high complexity, and requires user interaction, but it impacts confidentiality by allowing unauthorized file reads. It does not affect integrity or availability of the system.

Detection Guidance

This vulnerability involves in-progress file carve directories being created without private permissions, allowing unprivileged users to read temporary carve files. Detection involves monitoring for unauthorized access to osquery carve directories or temporary files during carving operations.

Since the issue is related to directory permissions during file carving, you can check the permissions of osquery carve directories while a carve is in progress. On POSIX systems, look for directories related to osquery file carving that are not set to mode 0700 (owner-only access).

Suggested commands to detect potential exploitation or presence of the vulnerability include:

  • Use `ls -ld` on osquery carve directories to verify permissions, e.g., `ls -ld /path/to/osquery/carve_dir`.
  • Use `find` to locate carve directories with overly permissive permissions, e.g., `find /path/to/osquery -type d ! -perm 700`.
  • Monitor file access logs or audit logs for unexpected reads of temporary carve files by unprivileged users.

Note that file carving is disabled by default, so detection efforts should focus on systems where carving is enabled or in use.

Mitigation Strategies

The primary mitigation is to upgrade osquery to version 5.23.1 or later, where the vulnerability is fixed by creating carve directories with owner-only permissions from the moment of creation.

If upgrading immediately is not possible, you can mitigate the risk by disabling the file carving feature, which is disabled by default, using the command-line option `--disable_carver=true`.

Additionally, ensure that temporary carve directories are not located in directories controlled by unprivileged users to prevent arbitrary file reads.

Review and restrict permissions on existing carve directories to ensure they are not world-readable or writable.

Compliance Impact

This vulnerability allows unprivileged local attackers to read sensitive files temporarily during the file carving process in osquery versions prior to 5.23.1. Such unauthorized access to sensitive data can lead to confidentiality breaches.

Since the vulnerability impacts confidentiality by exposing sensitive local files (e.g., /etc/shadow), it could negatively affect compliance with data protection regulations such as GDPR and HIPAA, which require strict controls to protect sensitive personal and health information from unauthorized access.

The issue has been fixed in version 5.23.1 by enforcing strict owner-only permissions on temporary carve directories, mitigating the risk of unauthorized data exposure and helping organizations maintain compliance.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46388. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart