CVE-2026-37531

Name of the Vulnerable Software and Affected Versions AGL app-framework-main versions 17.1.12 and earlier

Description A Zip Slip path traversal issue combined with a Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the widget installation flow. The is valid filename() function in wgtpkg-zip.c fails to check for dot notation directory traversal sequences, blocking only absolute paths. Consequently, the zread() extraction function uses openat(workdirfd, filename, O CREAT), which resolves dot notation relative to the work directory, enabling files to be written anywhere on the filesystem. In the install widget() function within wgtpkg-install.c, extraction via zread() occurs before signature verification via check all signatures(). If signature verification fails, the remove workdir() cleanup process only deletes the temporary work directory, leaving files written outside that directory via path traversal permanently on the system.

Recommendations Update to a version later than 17.1.12. As a temporary workaround, restrict write permissions to the filesystem to minimize the risk of arbitrary file writes during widget installation.