CVE-2026-31226

Name of the Vulnerable Software and Affected Versions TinyZero versions prior to commit 6652a63c57fa7e5ccde3fc9c598c7176ff15b839

Description Command injection exists in the HDFS file operation utilities due to the unsafe construction and execution of shell commands via the os.system() function without proper input sanitization or escaping. User-controlled input, such as file paths, is directly interpolated into shell command strings using f-strings within the copy() function. An attacker can inject arbitrary OS commands by providing a specially crafted path parameter through the Hydra configuration framework, leading to remote code execution with the privileges of the user running the training process.

Recommendations Update TinyZero to a version beyond commit 6652a63c57fa7e5ccde3fc9c598c7176ff15b839. As a temporary workaround, restrict or avoid using the copy() function and the path parameter within the Hydra configuration framework until the update is applied.