{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-44604/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7,"id":"CVE-2026-44604"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["RPM"],"_cs_severities":["high"],"_cs_tags":["command-injection","rpm","CVE-2026-44604","archive-extraction","linux"],"_cs_type":"advisory","_cs_vendors":["Red Hat"],"content_html":"\u003cp\u003eA command injection vulnerability, CVE-2026-44604, affects the \u003ccode\u003erpmuncompress\u003c/code\u003e utility within RPM. This flaw occurs during the extraction of specific archive formats, namely ZIP, 7z, and GEM. The utility unsafely incorporates the archive\u0026rsquo;s top-level folder name into a shell command without proper sanitization. By crafting a malicious archive with shell metacharacters embedded in the folder name, an attacker can inject arbitrary commands. The vulnerability can be exploited by any user able to trigger the RPM extraction process and results in command execution with the privileges of the user running the \u003ccode\u003erpmuncompress\u003c/code\u003e command. This is a critical security concern as it allows for privilege escalation and system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious ZIP, 7z, or GEM archive. The archive\u0026rsquo;s top-level folder name contains shell metacharacters (e.g., \u003ccode\u003e;\u003c/code\u003e, \u003ccode\u003e|\u003c/code\u003e, \u003ccode\u003e\u0026amp;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eA user is tricked into using the \u003ccode\u003erpmuncompress\u003c/code\u003e utility or a similar tool that leverages it to extract the malicious archive to a specified destination directory.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003erpmuncompress\u003c/code\u003e processes the archive and extracts the top-level folder name.\u003c/li\u003e\n\u003cli\u003eDue to insufficient sanitization, the crafted folder name containing shell metacharacters is incorporated into a shell command.\u003c/li\u003e\n\u003cli\u003eThe shell command is executed by the system, interpreting the metacharacters as command separators or modifiers.\u003c/li\u003e\n\u003cli\u003eThe injected commands execute arbitrary code within the context of the user running \u003ccode\u003erpmuncompress\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the system or performs unauthorized actions.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration, installing malware, or creating new privileged accounts.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-44604 allows an attacker to execute arbitrary commands on the affected system with the privileges of the user running the \u003ccode\u003erpmuncompress\u003c/code\u003e utility. This can lead to complete system compromise, data theft, or denial of service. The CVSS v3.1 base score is 7.0, indicating a high severity. Given the widespread use of RPM in Linux distributions, this vulnerability poses a significant risk to a large number of systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM to detect command injection attempts using shell metacharacters within archive names.\u003c/li\u003e\n\u003cli\u003eWhere feasible, avoid using \u003ccode\u003erpmuncompress\u003c/code\u003e on untrusted archives. If archive extraction is necessary, isolate the process in a sandboxed environment to limit the impact of potential command injection.\u003c/li\u003e\n\u003cli\u003eApply patches or updates provided by Red Hat that address CVE-2026-44604.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for unusual commands being executed by \u003ccode\u003erpmuncompress\u003c/code\u003e or related processes, as identified by the Sigma rules.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-28T08:18:30Z","date_published":"2026-05-28T08:18:30Z","id":"https://feed.craftedsignal.io/briefs/2026-05-rpm-command-injection/","summary":"A command injection vulnerability (CVE-2026-44604) exists in the `rpmuncompress` utility of RPM; when extracting specially crafted ZIP, 7z, or GEM archives, an attacker can inject shell commands via a malicious top-level folder name, leading to arbitrary code execution as the user running the extraction.","title":"CVE-2026-44604: RPM rpmuncompress Command Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-rpm-command-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — CVE-2026-44604","version":"https://jsonfeed.org/version/1.1"}