PT-2026-44197 · Red Hat · Pen Drive Powered By Red Hat Lightspeed+9
Published
2026-05-28
·
Updated
2026-05-28
·
CVE-2026-44604
CVSS v3.1
7.0
High
| Vector | AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |
A command injection vulnerability was discovered in the
rpmuncompress utility of RPM. When extracting certain archive formats (ZIP, 7z, GEM) to a specified destination directory, the tool inserts the archive's top-level folder name into a shell command without properly sanitizing it. A specially crafted archive containing shell metacharacters in its folder name can execute arbitrary commands as the user running the extraction.Fix
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Pen Drive Powered By Red Hat Lightspeed
Red Hat Enterprise Linux 10
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7
Red Hat Enterprise Linux 8
Red Hat Enterprise Linux 9
Red Hat Hardened Images
Red Hat Openshift Container Platform 4
Red Hat Satellite 6
Red Hat Build Of Quarkus Native Builder