HarborGuard / CVE
Back to search
HIGHCVE-2026-44604Published Modified CNA redhat

CVE-2026-44604: Rpm: command injection in rpmuncompress dountar() via unescaped archive top-level directory name in popen() shell command

A command injection vulnerability was discovered in the `rpmuncompress` utility of RPM. When extracting certain archive formats (ZIP, 7z, GEM) to a specified destination directory, the tool inserts the archive's top-level folder name into a shell command without properly sanitizing it. A specially crafted archive containing shell metacharacters in its folder name can execute arbitrary commands as the user running the extraction.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A command injection vulnerability exists in the rpmuncompress utility, part of the RPM package management toolchain shipped with Red Hat Enterprise Linux and related products. When extracting ZIP, 7z, or GEM archives, rpmuncompress passes the archive's top-level directory name directly into a popen() shell command without sanitizing it, allowing a crafted archive with shell metacharacters in its folder name to execute arbitrary commands. Successful exploitation gives the attacker full control over the process running the extraction, including read, write, and execution capabilities at that user's privilege level. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-44604 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds (Red Hat Security Advisories and NVD) within minutes of publication and matched against all customer images, including custom-built images that bundle RPM or rpmuncompress. Any image layer containing an affected RPM version is flagged in the customer's registry and CI pipeline scan results.

Available
Triage

HarborGuard scores this finding at CVSS 7.0 (HIGH) per the published v3.1 vector and surfaces it accordingly in each customer's dashboard. Per-environment compliance policies can further weight or escalate the finding, and routing rules direct the alert to the team or inbox the customer has configured for HIGH-severity OS-package issues.

Available
Patch

Because no fix version has been published upstream, HarborGuard re-checks the Red Hat advisory on every ingest cycle and will automatically make a patched-image rebuild available the moment a remediated RPM package is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be initiated without manual intervention once the upstream fix exists.

Pending upstream

Exploit Conditions

  • Network reachabilityNot required

    The attacker does not need network access; exploitation requires an existing process or shell session on the host that invokes rpmuncompress against a malicious archive.

  • AuthenticationNot required

    No account credentials are required; the attacker only needs to supply a crafted archive to a user or process that will extract it.

  • Victim interactionRequired

    A user or automated process must open and extract the attacker-supplied archive, making this a social-engineering or supply-chain vector that depends on the victim performing the extraction.

  • Attack complexityDetail

    Attack complexity is HIGH, meaning reliable exploitation depends on environmental factors such as getting the crafted archive into a position where the target will extract it, rather than exploiting a straightforward, condition-free flaw.

Blast Radius

  • Reads any file accessible to the user running rpmuncompress, including local credentials, SSH keys, and application secrets.
  • Writes or overwrites files in that user's writable paths, enabling persistent backdoors or corruption of package metadata.
  • Executes arbitrary commands at the privilege level of the extracting user, which in automated build pipelines may be an elevated service account.
  • Disrupts the extraction process itself, potentially breaking package installation or build workflows that depend on it.

How HarborGuard Handles This

Available on HarborGuard: any image layer containing an affected version of RPM or rpmuncompress across Red Hat Enterprise Linux 6 through 10 and related products is detectable in customer registries and pipelines within minutes of the advisory being ingested. Because Red Hat has not yet published a fix, no patched rebuild is available at this time; HarborGuard re-evaluates the advisory on every ingest cycle and will surface a patched rebuild automatically once upstream ships one. In the meantime, compensating controls worth considering include restricting which users or service accounts can invoke rpmuncompress, applying network and filesystem policies that limit the blast radius if an automated pipeline extracts an untrusted archive, and gating archive extraction behind an integrity-verification step (such as checksum or signature validation) before rpmuncompress is called. For customers with auto-remediation enabled, the full rebuild-and-PR flow will trigger without manual steps the moment a fixed RPM version is available.

See how HarborGuard automates this

Metrics

CVSS v3.1
7.0
Severity
HIGH
Fixed in
Affected Products
14
Affected packages
  • Red Hat / Pen Drive Powered by Red Hat Lightspeed
  • Red Hat / Red Hat build of Quarkus Native builder
  • Red Hat / Red Hat Enterprise Linux 10
  • Red Hat / Red Hat Enterprise Linux 10
  • Red Hat / Red Hat Enterprise Linux 6
  • Red Hat / Red Hat Enterprise Linux 7
  • Red Hat / Red Hat Enterprise Linux 8
  • Red Hat / Red Hat Enterprise Linux 9
  • Red Hat / Red Hat Enterprise Linux 9
  • Red Hat / Red Hat Hardened Images
  • Red Hat / Red Hat OpenShift Container Platform 4
  • Red Hat / Red Hat Satellite 6
  • Red Hat / Red Hat Satellite 6
  • Red Hat / Red Hat Satellite 6
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
References