CVE-2026-24049

CVSS v3.1

7.1

Vector

AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

Name of the Vulnerable Software and Affected Versions wheel versions 0.40.0 through 0.46.1

Description The 'wheel' package, a tool for manipulating Python wheel files, contains a flaw in the

unpack

function. This flaw allows for file permission modification through mishandling of file permissions after extraction. The logic incorrectly trusts the filename from the archive header when setting file permissions, even after the extraction process has sanitized the path. An attacker can craft a malicious wheel file that, when unpacked, alters the permissions of critical system files, potentially enabling Privilege Escalation or arbitrary code execution. The vulnerability is triggered when the

unpack

function applies permissions based on the unsanitized filename from the archive header. This can lead to critical system files becoming world-writable.

Recommendations Update to a version of wheel greater than 0.46.1.

Exploit

Fix

LPE

Path traversal

Incorrect Permission

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22CWE-732

Related Identifiers

ALSA-2026:1902

ALSA-2026:1939

ALSA-2026:2090

CVE-2026-24049

ECHO-3D34-CEC5-CF72

GHSA-8RRH-RW8J-W5FX

OESA-2026-1279

OESA-2026-1280

OESA-2026-1281

RHSA-2026:1902

RHSA-2026:1939

RHSA-2026:2090

RHSA-2026:2710

RHSA-2026:2823

RHSA-2026:2865

RHSA-2026:2866

RHSA-2026:3958

RHSA-2026:3959

Affected Products

Rocky Linux

Wheel

CVE-2026-24049

Weakness Enumeration

Related Identifiers

Affected Products

References · 49