{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/sleuth-kit/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-40024"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["path traversal","code execution","privilege escalation","sleuth kit","CVE-2026-40024"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Sleuth Kit, a collection of command-line tools for forensic analysis of disk images, is susceptible to a path traversal vulnerability (CVE-2026-40024) affecting versions up to 4.14.0. This vulnerability resides within the \u003ccode\u003etsk_recover\u003c/code\u003e utility, which is designed to recover files from disk images. An attacker can exploit this flaw by crafting a malicious filesystem image containing filenames or directory paths with path traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e). When \u003ccode\u003etsk_recover\u003c/code\u003e processes this image, it can be tricked into writing files to arbitrary locations outside the intended recovery directory. Successful exploitation allows attackers to overwrite critical system files, such as shell configuration files or cron entries, ultimately leading to code execution with elevated privileges. This vulnerability poses a significant risk to systems utilizing The Sleuth Kit for forensic investigations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious filesystem image. This image contains filenames or directory paths embedded with path traversal sequences like \u003ccode\u003e../\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker, or a user under their control, invokes the \u003ccode\u003etsk_recover\u003c/code\u003e utility on a vulnerable system, specifying the malicious filesystem image as input.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003etsk_recover\u003c/code\u003e parses the filesystem image and encounters the crafted filenames with path traversal sequences.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, \u003ccode\u003etsk_recover\u003c/code\u003e incorrectly resolves the file paths, allowing the write operation to escape the intended recovery directory.\u003c/li\u003e\n\u003cli\u003eThe utility writes a file to an arbitrary location on the file system. This location is determined by the attacker-controlled path traversal sequences.\u003c/li\u003e\n\u003cli\u003eThe attacker strategically targets critical system files for overwriting, such as shell configuration files (\u003ccode\u003e.bashrc\u003c/code\u003e, \u003ccode\u003e.bash_profile\u003c/code\u003e) or cron entries (\u003ccode\u003e/etc/cron.d/\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eUpon the next user login or scheduled cron job execution, the attacker\u0026rsquo;s malicious code embedded in the overwritten files is executed.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves code execution, potentially gaining persistence or escalating privileges on the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to write arbitrary files to the target system, potentially leading to code execution. By overwriting shell configuration files or cron entries, attackers can gain persistence and escalate their privileges, effectively taking control of the system. While the specific number of victims is unknown, any system utilizing a vulnerable version of The Sleuth Kit for disk image analysis is at risk. The impact could range from data theft to complete system compromise, depending on the attacker\u0026rsquo;s objectives and the level of access gained.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade The Sleuth Kit to a version beyond 4.14.0 to patch CVE-2026-40024 and eliminate the path traversal vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor process execution for instances of \u003ccode\u003etsk_recover\u003c/code\u003e writing files outside the intended recovery directory using the Sigma rule \u003ccode\u003eDetect Sleuth Kit Path Traversal\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring for critical system files (e.g., \u003ccode\u003e.bashrc\u003c/code\u003e, \u003ccode\u003e.bash_profile\u003c/code\u003e, \u003ccode\u003e/etc/cron.d/*\u003c/code\u003e) to detect unauthorized modifications resulting from exploitation of CVE-2026-40024.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T22:16:22Z","date_published":"2026-04-08T22:16:22Z","id":"/briefs/2024-01-30-sleuthkit-pathtraversal/","summary":"A path traversal vulnerability exists in The Sleuth Kit through 4.14.0 (tsk_recover), enabling attackers to write files to arbitrary locations via crafted filenames with path traversal sequences in a filesystem image, potentially leading to code execution.","title":"Sleuth Kit Path Traversal Vulnerability (CVE-2026-40024)","url":"https://feed.craftedsignal.io/briefs/2024-01-30-sleuthkit-pathtraversal/"}],"language":"en","title":"CraftedSignal Threat Feed — Sleuth Kit","version":"https://jsonfeed.org/version/1.1"}