CVE-2026-20613

Name of the Vulnerable Software and Affected Versions container versions prior to 0.8.0 containerization versions prior to 0.21.0

Description The ArchiveReader.extractContents() function, utilized by cctl image load and container image load, lacks proper pathname validation during archive extraction. This allows a crafted archive to extract files to arbitrary user-writable locations on the system using relative pathnames. The vulnerable code resides in Reader.swift at line 180. A proof-of-concept script, make-evil-tar.py, demonstrates the creation of a malicious archive that can write a file to a user-specified location. This issue impacts users of cctl image load within the containerization project and any dependent projects leveraging the extractContent() function, as well as users of container image load. The issue does not represent a privilege escalation, as files are only written to already user-writable locations.

Recommendations Update to container version 0.8.0 or later. Update to containerization version 0.21.0 or later.