Description
GNU gzip contains a vulnerability in the gzexe utility related to insecure temporary file handling. When the mktemp utility is not available in the user’s PATH, gzexe falls back to constructing a temporary file path based solely on the process ID (PID). This predictable filename is created without exclusive access or existence checks. A local attacker can pre‑create the predicted temporary file path as a symbolic link pointing to an arbitrary file writable by the victim. When gzexe runs, it follows the symlink and overwrites the target file, resulting in a time‑of‑check to time‑of‑use (TOCTOU) condition that allows arbitrary file overwrite. This issue has been fixed in the commit 4e6f8b24ab823146ab8776f0b7fe486ab34d4269
References (3)
Core 3
Core References
Third Party Advisory third-party-advisory
https://cert.pl/en/posts/2026/04/CVE-2026-41991/
Product product
https://www.gnu.org/software/gzip/
Scores
CVSS v3
4.7
EPSS
0.0010
EPSS Percentile
1.3%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-377
Status
published
Products (2)
GNU/gzip
< 1.14
gnu/gzip
< 1.14
Published
Jun 29, 2026
Tracked Since
Jun 29, 2026