๐Ÿ” CVE Alert

CVE-2026-44604

HIGH 7.0

Rpm: command injection in rpmuncompress dountar() via unescaped archive top-level directory name in popen() shell command

CVSS Score
7.0
EPSS Score
0.0%
EPSS Percentile
7th

A command injection vulnerability was discovered in the `rpmuncompress` utility of RPM. When extracting certain archive formats (ZIP, 7z, GEM) to a specified destination directory, the tool inserts the archive's top-level folder name into a shell command without properly sanitizing it. A specially crafted archive containing shell metacharacters in its folder name can execute arbitrary commands as the user running the extraction.

CWE CWE-78
Vendor red hat
Product pen drive powered by red hat lightspeed
Published May 28, 2026
Last Updated Jun 8, 2026
Stay Ahead of the Next One

Get instant alerts for red hat pen drive powered by red hat lightspeed

Be the first to know when new high vulnerabilities affecting red hat pen drive powered by red hat lightspeed are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Affected Versions

Red Hat / Pen Drive Powered by Red Hat Lightspeed
All versions affected
Red Hat / Red Hat build of Quarkus Native builder
All versions affected
Red Hat / Red Hat Enterprise Linux 10
All versions affected
Red Hat / Red Hat Enterprise Linux 10
All versions affected
Red Hat / Red Hat Enterprise Linux 6
All versions affected
Red Hat / Red Hat Enterprise Linux 7
All versions affected
Red Hat / Red Hat Enterprise Linux 8
All versions affected
Red Hat / Red Hat Enterprise Linux 9
All versions affected
Red Hat / Red Hat Enterprise Linux 9
All versions affected
Red Hat / Red Hat Hardened Images
All versions affected
Red Hat / Red Hat OpenShift Container Platform 4
All versions affected
Red Hat / Red Hat Satellite 6
All versions affected
Red Hat / Red Hat Satellite 6
All versions affected
Red Hat / Red Hat Satellite 6
All versions affected

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
access.redhat.com: https://access.redhat.com/security/cve/CVE-2026-44604 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2460967