CVE-2026-24049

CVSS v3.1

7.1

High

Vector

AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

Name of the Vulnerable Software and Affected Versions wheel versions 0.40.0 through 0.46.1

Description The 'wheel' package, a tool for manipulating Python wheel files, contains a flaw in the unpack function. This flaw allows for file permission modification through mishandling of file permissions after extraction. The logic incorrectly trusts the filename from the archive header when setting file permissions, even after the extraction process has sanitized the path. An attacker can craft a malicious wheel file that, when unpacked, alters the permissions of critical system files, potentially enabling Privilege Escalation or arbitrary code execution. The vulnerability is triggered when the unpack function applies permissions based on the unsanitized filename from the archive header. This can lead to critical system files becoming world-writable.

Recommendations Update to a version of wheel greater than 0.46.1.

Exploit

Fix

LPE

Path traversal

Incorrect Permission

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22CWE-732

Related Identifiers

ALSA-2026:1902

ALSA-2026:1939

ALSA-2026:2090

AZL-75192

AZL-75195

AZL-77826

BDU:2026-03593

CVE-2026-24049

ECHO-3D34-CEC5-CF72

GHSA-8RRH-RW8J-W5FX

OESA-2026-1279

OESA-2026-1280

OESA-2026-1281

OPENSUSE-SU-2026:10151-1

OPENSUSE-SU-2026:20147-1

RHSA-2026:1902

RHSA-2026:1939

RHSA-2026:2090

RHSA-2026:2710

RHSA-2026:2823

RHSA-2026:2865

RHSA-2026:2866

RHSA-2026:3958

RHSA-2026:3959

SUSE-SU-2026:0424-1

SUSE-SU-2026:0425-1

SUSE-SU-2026:0460-1

SUSE-SU-2026:20217-1

USN-8221-1

Affected Products

Linuxmint

Red Os

Rocky Linux

Ubuntu

Wheel

CVE-2026-24049

Weakness Enumeration

Related Identifiers

Affected Products

References · 72