{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/symlink/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":6.3,"id":"CVE-2025-68146"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["TOCTOU","symlink","filelock","CVE-2025-68146","race condition"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2025-68146 is a security vulnerability residing within the filelock library, a widely used Python library for file locking. The vulnerability stems from a Time-of-Check Time-of-Use (TOCTOU) race condition that occurs during the creation of lock files. This weakness can be exploited by a local attacker to perform symlink attacks. By carefully manipulating the file system, an attacker can potentially redirect the lock creation process to a file location they control. This is a locally exploitable vulnerability with potential for privilege escalation and unauthorized access, but requires local access to the vulnerable system. The advisory was published on April 29, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial local access to the system.\u003c/li\u003e\n\u003cli\u003eAttacker identifies an application utilizing the vulnerable filelock library for file locking operations.\u003c/li\u003e\n\u003cli\u003eAttacker creates a symbolic link (symlink) pointing the expected lock file path to a file location under their control.\u003c/li\u003e\n\u003cli\u003eThe vulnerable application attempts to create a lock file at the expected location.\u003c/li\u003e\n\u003cli\u003eDue to the TOCTOU race condition, between the time the application checks for the existence of the lock file and the time it attempts to create it, the symlink is followed.\u003c/li\u003e\n\u003cli\u003eThe lock file is created in the attacker-controlled location instead of the intended secure location.\u003c/li\u003e\n\u003cli\u003eThe application continues execution, believing it has exclusive access, while the attacker can potentially modify or access the protected resource.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-68146 allows an attacker to manipulate file locking mechanisms, potentially leading to unauthorized modification or access to sensitive files. This can lead to data corruption, privilege escalation, or denial of service. The vulnerability requires local access, limiting the scope of potential attacks, but can be a critical issue in multi-user environments or systems with sensitive data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply patches or updates provided by the vendor (Microsoft) to address CVE-2025-68146 when they become available.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring to detect unauthorized modifications to critical files and directories.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect suspicious symlink creation attempts that might indicate exploitation of this TOCTOU vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T07:50:36Z","date_published":"2026-04-29T07:50:36Z","id":"/briefs/2024-05-filelock-symlink/","summary":"CVE-2025-68146 describes a Time-of-Check Time-of-Use (TOCTOU) race condition vulnerability in the filelock library that could allow for symlink attacks during lock file creation, potentially leading to unauthorized file access or modification.","title":"CVE-2025-68146 filelock TOCTOU Race Condition Enables Symlink Attacks","url":"https://feed.craftedsignal.io/briefs/2024-05-filelock-symlink/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-41364"}],"_cs_exploited":false,"_cs_products":["OpenClaw"],"_cs_severities":["high"],"_cs_tags":["symlink","file-write","sandbox-escape"],"_cs_type":"advisory","_cs_vendors":["OpenClaw"],"content_html":"\u003cp\u003eOpenClaw versions before 2026.3.31 are vulnerable to a symlink following issue within the SSH sandbox tar upload functionality. This vulnerability, identified as CVE-2026-41364, allows a remote attacker with the ability to upload tar archives to the OpenClaw instance to potentially escape the intended sandbox environment. By crafting a malicious tar archive containing carefully constructed symbolic links, an attacker can overwrite arbitrary files on the remote host, leading to a compromise of the system\u0026rsquo;s integrity. This vulnerability was reported and patched in version 2026.3.31. Defenders need to ensure they are running patched versions to mitigate the risk of exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the OpenClaw instance via SSH, gaining access to the restricted sandbox environment.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious tar archive containing symbolic links pointing outside the intended sandbox directory. These symlinks are designed to target specific files or directories on the host system that the attacker wishes to overwrite.\u003c/li\u003e\n\u003cli\u003eAttacker uploads the malicious tar archive to the OpenClaw instance using the SSH sandbox tar upload functionality.\u003c/li\u003e\n\u003cli\u003eOpenClaw extracts the contents of the uploaded tar archive without properly validating or restricting the target paths of the symbolic links.\u003c/li\u003e\n\u003cli\u003eDuring extraction, the symbolic links are followed, causing files to be written outside the intended sandbox directory.\u003c/li\u003e\n\u003cli\u003eThe attacker overwrites arbitrary files on the remote host with attacker-controlled content.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution or persistence by overwriting critical system files or configuration files.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges by modifying binaries used by privileged users.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a remote attacker with low privileges to write arbitrary files on the OpenClaw server. This can lead to a variety of impacts, including arbitrary code execution, privilege escalation, and denial of service. An attacker could potentially gain complete control over the OpenClaw server by overwriting critical system files. Given the potential for complete system compromise, this vulnerability poses a significant risk to organizations using affected versions of OpenClaw.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.3.31 or later to patch CVE-2026-41364.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious Tar Archive Upload with Symlinks\u0026rdquo; to detect attempts to upload malicious tar archives containing symbolic links.\u003c/li\u003e\n\u003cli\u003eMonitor SSH logs for suspicious activity related to tar archive uploads to the OpenClaw instance.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-28T00:16:25Z","date_published":"2026-04-28T00:16:25Z","id":"/briefs/2026-04-openclaw-symlink/","summary":"OpenClaw before 2026.3.31 contains a symlink following vulnerability in SSH sandbox tar upload that allows remote attackers to write arbitrary files by uploading a malicious tar archive containing symlinks, leading to arbitrary file write on the remote host.","title":"OpenClaw Symlink Vulnerability in SSH Sandbox Tar Upload (CVE-2026-41364)","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-symlink/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.4,"id":"CVE-2026-24884"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["npm","supply-chain","symlink","directory-traversal","privilege-escalation","arbitrary-file-overwrite"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u003ccode\u003ecompressing\u003c/code\u003e npm package (v2.1.0 and earlier) contains a critical vulnerability that permits arbitrary file overwrites due to a symlink path traversal bypass. This bypass affects the patch for CVE-2026-24884. The vulnerability arises from an incomplete validation in the \u003ccode\u003eisPathWithinParent\u003c/code\u003e utility, where path string checks are performed without verifying the filesystem state, specifically symbolic links. By cloning a malicious repository containing a pre-existing symbolic link, a victim unknowingly plants a \u0026ldquo;poisoned path\u0026rdquo; on their system. The attacker can then craft a malicious archive that, when extracted by the vulnerable library, follows the symlink and overwrites arbitrary files. The ease of exploitation via \u003ccode\u003egit clone\u003c/code\u003e makes this vulnerability particularly dangerous.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker creates a malicious Git repository containing a symbolic link (e.g., \u003ccode\u003econfig_file\u003c/code\u003e) pointing to a sensitive target file or directory (e.g., \u003ccode\u003e/tmp/fake_root/etc/passwd\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAttacker generates a malicious payload (e.g., \u003ccode\u003epayload.tar\u003c/code\u003e) containing a file with the same name as the symbolic link (e.g., \u003ccode\u003econfig_file\u003c/code\u003e) and uploads both to their Git repository.\u003c/li\u003e\n\u003cli\u003eVictim clones the attacker\u0026rsquo;s Git repository using \u003ccode\u003egit clone\u003c/code\u003e. This action automatically restores the symbolic link on the victim\u0026rsquo;s system.\u003c/li\u003e\n\u003cli\u003eVictim runs an application that utilizes the vulnerable \u003ccode\u003ecompressing\u003c/code\u003e library to extract the \u003ccode\u003epayload.tar\u003c/code\u003e archive.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecompressing\u003c/code\u003e library\u0026rsquo;s \u003ccode\u003eisPathWithinParent\u003c/code\u003e function resolves the path to the file being extracted. Due to lack of \u003ccode\u003elstat\u003c/code\u003e checks, the symbolic link is not detected.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efs.writeFile\u003c/code\u003e function follows the symlink, writing the contents of the file from \u003ccode\u003epayload.tar\u003c/code\u003e to the targeted sensitive file (e.g., \u003ccode\u003e/tmp/fake_root/etc/passwd\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eArbitrary file overwrite occurs, potentially leading to privilege escalation or code execution.\u003c/li\u003e\n\u003cli\u003eAttacker achieves persistent access or control by overwriting critical system files.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to overwrite arbitrary files on the victim\u0026rsquo;s system, potentially leading to privilege escalation by modifying sensitive system files such as \u003ccode\u003e/etc/passwd\u003c/code\u003e. Remote Code Execution (RCE) can be achieved by overwriting executable binaries or startup scripts. Data corruption can also occur through the modification of application data or database files. This vulnerability impacts developers and organizations using the \u003ccode\u003ecompressing\u003c/code\u003e library up to version v2.1.0 when extracting untrusted archives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003ecompressing\u003c/code\u003e npm package to a patched version that includes proper symlink handling. This is the primary remediation.\u003c/li\u003e\n\u003cli\u003eInspect Git repositories for suspicious symbolic links before cloning. Use \u003ccode\u003egit ls-tree -r \u0026lt;commit-ish\u0026gt; | grep 120000\u003c/code\u003e to search for symlinks in a repository.\u003c/li\u003e\n\u003cli\u003eImplement runtime monitoring for file writes to unexpected locations based on the \u003ccode\u003ecompressing\u003c/code\u003e library\u0026rsquo;s activity. Create a detection rule based on \u003ccode\u003eprocess_creation\u003c/code\u003e and \u003ccode\u003efile_event\u003c/code\u003e to detect writes to sensitive directories such as \u003ccode\u003e/etc\u003c/code\u003e by processes spawned by Node.js that also load the vulnerable \u003ccode\u003ecompressing\u003c/code\u003e module.\u003c/li\u003e\n\u003cli\u003eMonitor network connections originating from processes related to the \u003ccode\u003ecompressing\u003c/code\u003e library after file extraction. Create a Sigma rule based on \u003ccode\u003enetwork_connection\u003c/code\u003e and \u003ccode\u003eprocess_creation\u003c/code\u003e to detect unusual outbound connections after archive extraction.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-18T12:00:00Z","date_published":"2026-04-18T12:00:00Z","id":"/briefs/2026-04-compressing-symlink-bypass/","summary":"A vulnerability in the `compressing` npm package (\u003c=v2.1.0) allows for arbitrary file overwrite via symlink path traversal, bypassing a previous patch for CVE-2026-24884.","title":"compressing npm Package Symlink Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-compressing-symlink-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-22767"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["symlink","dell","appsync","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eDell AppSync version 4.6.0 contains a UNIX Symbolic Link (Symlink) Following vulnerability, identified as CVE-2026-22767. This vulnerability enables a low-privileged attacker with local access to exploit the system and potentially tamper with sensitive information. The vulnerability was disclosed on April 1, 2026. Defenders should be aware of the potential for local privilege escalation and information tampering due to this vulnerability. Addressing this vulnerability is critical to maintaining the integrity and confidentiality of data managed by Dell AppSync.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains local access to the system running Dell AppSync 4.6.0.\u003c/li\u003e\n\u003cli\u003eAttacker identifies a directory writable by low-privileged users where AppSync improperly handles symlinks.\u003c/li\u003e\n\u003cli\u003eAttacker creates a malicious symbolic link pointing to a sensitive system file (e.g., \u003ccode\u003e/etc/shadow\u003c/code\u003e, configuration files).\u003c/li\u003e\n\u003cli\u003eAppSync, while performing its normal operations, follows the symbolic link created by the attacker.\u003c/li\u003e\n\u003cli\u003eAppSync attempts to access or modify the target file through the symlink.\u003c/li\u003e\n\u003cli\u003eDue to insufficient permission checks, AppSync inappropriately overwrites, reads, or modifies the sensitive file.\u003c/li\u003e\n\u003cli\u003eAttacker leverages the modified sensitive file to escalate privileges or gain unauthorized access.\u003c/li\u003e\n\u003cli\u003eAttacker achieves the objective of information tampering by modifying application data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-22767 can lead to information tampering on systems running Dell AppSync 4.6.0. A low-privileged attacker with local access could potentially modify system or application configurations, leading to unauthorized access or disruption of services. The impact includes potential data corruption, privilege escalation, and a compromise of the overall system security posture.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security update provided by Dell as detailed in DSA-2026-163 to remediate CVE-2026-22767 (\u003ca href=\"https://www.dell.com/support/kbdoc/en-us/000446965/dsa-2026-163-security-update-for-dell-appsync-vulnerabilities\"\u003ehttps://www.dell.com/support/kbdoc/en-us/000446965/dsa-2026-163-security-update-for-dell-appsync-vulnerabilities\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eImplement the \u0026ldquo;Detect Suspicious Symlink Creation\u0026rdquo; Sigma rule to identify potentially malicious symlink activity on systems running Dell AppSync.\u003c/li\u003e\n\u003cli\u003eMonitor file system events for unexpected modifications to sensitive files, particularly those targeted by symlinks, using the \u0026ldquo;Detect Sensitive File Tampering via Symlink\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T13:16:33Z","date_published":"2026-04-01T13:16:33Z","id":"/briefs/2026-04-dell-appsync-symlink/","summary":"Dell AppSync version 4.6.0 is vulnerable to a UNIX Symbolic Link (Symlink) Following vulnerability (CVE-2026-22767) that allows a low-privileged local attacker to tamper with information.","title":"Dell AppSync 4.6.0 UNIX Symbolic Link Following Vulnerability (CVE-2026-22767)","url":"https://feed.craftedsignal.io/briefs/2026-04-dell-appsync-symlink/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["registry","symlink","race-condition","accessibility","privilege-escalation","persistence","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eRegPwnBOF is an exploit leveraging a registry symlink race condition within the Windows Accessibility ATConfig mechanism. This vulnerability allows an unprivileged user to manipulate protected areas of the registry, specifically HKLM, which are typically reserved for administrators or system processes. By exploiting this race condition, an attacker can write arbitrary values to these protected keys. The initial report surfaced around March 2026, highlighting the potential for unauthorized persistence and privilege escalation. This circumvents standard Windows security controls, posing a significant risk to system integrity and confidentiality. The exploit\u0026rsquo;s accessibility to non-administrator users makes it particularly dangerous in environments where least-privilege principles are not strictly enforced.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unprivileged user initiates the ATConfig mechanism within the Windows Accessibility features.\u003c/li\u003e\n\u003cli\u003eThe exploit creates a registry symlink pointing to a protected HKLM key.\u003c/li\u003e\n\u003cli\u003eA race condition is triggered during the ATConfig process, allowing the exploit to bypass security checks.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages this race condition to overwrite the target HKLM registry key with arbitrary data.\u003c/li\u003e\n\u003cli\u003eThe modified registry key is used to establish persistence, for example, by creating a Run key.\u003c/li\u003e\n\u003cli\u003eUpon system restart or user login, the malicious payload associated with the modified Run key is executed.\u003c/li\u003e\n\u003cli\u003eThe attacker gains elevated privileges by executing code within the context of a privileged process.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of RegPwnBOF allows an attacker to gain persistent access to a compromised system and escalate their privileges to administrator level. This can lead to complete system compromise, data theft, and the installation of malware. The impact is magnified by the fact that this exploit can be triggered by a normal user, bypassing traditional access controls. The number of potential victims is considerable, as the vulnerability exists within the Windows Accessibility features, which are enabled by default on many systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor registry modifications targeting HKLM keys, especially those related to Accessibility features, using a process_creation log source and the provided Sigma rules.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and least-privilege principles to limit the ability of unprivileged users to interact with system-level configurations.\u003c/li\u003e\n\u003cli\u003eInvestigate any unusual registry symlink creation events using file_event logs, particularly those involving the ATConfig mechanism, to identify potential RegPwnBOF exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-19T05:23:44Z","date_published":"2026-03-19T05:23:44Z","id":"/briefs/2024-01-regpwnbof/","summary":"RegPwnBOF exploits a registry symlink race condition in the Windows Accessibility ATConfig mechanism, enabling a normal user to write arbitrary values to protected HKLM registry keys for persistence and privilege escalation.","title":"RegPwnBOF Registry Symlink Race Condition Exploit","url":"https://feed.craftedsignal.io/briefs/2024-01-regpwnbof/"},{"_cs_actors":[],"_cs_cves":[{"id":"CVE-2026-41326"}],"_cs_exploited":false,"_cs_products":["kata-containers/kata-containers (\u003c 0.0.0-20260422180503-1b9e49eb2763)"],"_cs_severities":["high"],"_cs_tags":["kata-containers","container-escape","symlink"],"_cs_type":"advisory","_cs_vendors":["kata-containers"],"content_html":"\u003cp\u003eAn oversight in the CopyFile policy within Kata Containers allows a malicious host to manipulate guest workload images. The vulnerability stems from insufficient validation within the \u003ccode\u003eCopyFileRequest\u003c/code\u003e policy, specifically related to symlink creation. The policy primarily checks the destination path of copied files but fails to adequately validate the target of symlinks created via the same API. This flaw was discovered by @calonso-nv and impacts environments where the \u003ccode\u003egenpolicy\u003c/code\u003e implementation is used to prevent host access to container images, including Confidential Containers workloads which rely on strong isolation. If the guest image is not protected from the host (e.g., when using unprotected host pull), the system is not vulnerable. The affected package is \u003ccode\u003ego/github.com/kata-containers/kata-containers\u003c/code\u003e versions prior to \u003ccode\u003e0.0.0-20260422180503-1b9e49eb2763\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a target file within the guest container image, such as a binary or configuration file they wish to overwrite.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a \u003ccode\u003eCopyFileRequest\u003c/code\u003e to create a symbolic link within the \u003ccode\u003e/run/kata-containers/shared/containers\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003epath\u003c/code\u003e parameter of the request specifies the location of the symlink within the shared directory.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003edata\u003c/code\u003e parameter of the request specifies the target of the symbolic link, which points to the target file identified in step 1, inside the guest file system.\u003c/li\u003e\n\u003cli\u003eThe Kata Agent processes the \u003ccode\u003eCopyFileRequest\u003c/code\u003e, creating the symbolic link within the shared directory, pointing to the target file inside the container image.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a second \u003ccode\u003eCopyFileRequest\u003c/code\u003e to copy malicious data into the symlink created in step 5.\u003c/li\u003e\n\u003cli\u003eThe Kata Agent writes the malicious data to the symlink, which then overwrites the original target file within the container image.\u003c/li\u003e\n\u003cli\u003eThe attacker restarts the container or waits for the compromised binary to be executed, achieving arbitrary code execution within the guest.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to overwrite arbitrary files within container images managed by Kata Containers. This can lead to arbitrary code execution within the guest environment, data exfiltration, and privilege escalation. This is particularly critical in Confidential Containers environments where the trust model explicitly forbids host access to container images. Affected systems are those employing the upstream \u003ccode\u003egenpolicy\u003c/code\u003e implementation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch or upgrade to \u003ccode\u003ego/github.com/kata-containers/kata-containers\u003c/code\u003e version \u003ccode\u003e0.0.0-20260422180503-1b9e49eb2763\u003c/code\u003e or later to address CVE-2026-41326.\u003c/li\u003e\n\u003cli\u003eMonitor the creation of symbolic links within the \u003ccode\u003e/run/kata-containers/shared/containers\u003c/code\u003e directory, using the provided Sigma rule, as this is an unusual operation (file_event).\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and monitoring for the Kata Agent to prevent unauthorized \u003ccode\u003eCopyFileRequest\u003c/code\u003e messages.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-kata-containers-copyfile-symlink/","summary":"An oversight in the CopyFile policy in Kata Containers allows untrusted hosts to write to arbitrary locations inside the guest workload image via symlinks, enabling binary overwrites and data exfiltration.","title":"Kata Containers CopyFile Policy Subversion via Symlinks","url":"https://feed.craftedsignal.io/briefs/2024-01-03-kata-containers-copyfile-symlink/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["openclaw (\u003c= 2026.4.21)"],"_cs_severities":["high"],"_cs_tags":["sandbox-escape","symlink","race-condition","npm"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eOpenClaw, a tool available via npm, contains a vulnerability in versions 2026.4.21 and earlier that could allow for a sandbox escape. This vulnerability stems from a time-of-check/time-of-use (TOCTOU) race condition during filesystem writes within the OpenShell sandbox environment. An attacker could potentially exploit this vulnerability by manipulating symlinks to redirect write operations outside of the intended local mount root. This can occur because OpenClaw does not properly validate the target of write operations against the mount root, leaving it susceptible to symlink-based redirection attacks. Successful exploitation could allow an attacker to modify sensitive files outside the sandbox. The vulnerability is fixed in version 2026.4.22.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious OpenClaw package or leverages an existing package.\u003c/li\u003e\n\u003cli\u003eThe package contains a symlink within the intended sandbox directory.\u003c/li\u003e\n\u003cli\u003eThe OpenClaw application attempts to write to a file via the symlink.\u003c/li\u003e\n\u003cli\u003eBetween the time OpenClaw checks the symlink and the time it performs the write operation, the attacker replaces the symlink with a new symlink pointing outside the intended sandbox root.\u003c/li\u003e\n\u003cli\u003eOpenClaw, due to the TOCTOU race condition, writes to the file location pointed to by the new symlink, which resides outside the sandbox.\u003c/li\u003e\n\u003cli\u003eThis allows the attacker to overwrite or modify arbitrary files on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages this capability to gain elevated privileges or compromise sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability could allow an attacker to bypass the intended security restrictions of the OpenClaw sandbox. An attacker could potentially overwrite system files, inject malicious code into existing applications, or steal sensitive data. While the exact number of affected installations is unknown, any system running a vulnerable version of OpenClaw is susceptible to this attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to OpenClaw version 2026.4.22 or later to patch the vulnerability (reference: Affected Packages / Versions).\u003c/li\u003e\n\u003cli\u003eMonitor file system events for unexpected modifications outside of the expected OpenClaw sandbox directory. Deploy the Sigma rule \u003ccode\u003eDetect OpenClaw Sandbox Escape via Symlink\u003c/code\u003e to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement stricter file system access controls to limit the potential impact of successful exploitation (reference: Impact).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-openclaw-symlink/","summary":"A time-of-check/time-of-use (TOCTOU) race condition in OpenClaw versions 2026.4.21 and earlier allows a symlink swap to redirect filesystem writes outside the intended sandbox mount root, potentially leading to arbitrary file modification.","title":"OpenClaw Symlink Race Condition Allows Sandbox Escape","url":"https://feed.craftedsignal.io/briefs/2024-01-openclaw-symlink/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["apko (\u003c 1.2.5)"],"_cs_severities":["high"],"_cs_tags":["path-traversal","symlink","apko","vulnerability","CVE-2026-42574"],"_cs_type":"advisory","_cs_vendors":["Chainguard"],"content_html":"\u003cp\u003eA path traversal vulnerability exists in apko\u0026rsquo;s \u003ccode\u003eDirFS\u003c/code\u003e component, specifically within the \u003ccode\u003esanitizePath\u003c/code\u003e helper function in versions prior to 1.2.5. The vulnerability allows a malicious \u003ccode\u003e.apk\u003c/code\u003e file to install a \u003ccode\u003eTypeSymlink\u003c/code\u003e tar entry pointing outside the intended build root. Subsequent directory creation or file writing operations could then traverse this symbolic link, leading to unauthorized access and modification of files on the host system. This issue affects users of apko and downstream tools, such as melange, that embed vulnerable versions of the \u003ccode\u003epkg/apk/fs\u003c/code\u003e package. The vulnerability was addressed in apko version 1.2.5 with the introduction of \u003ccode\u003e*os.Root\u003c/code\u003e, which prevents path traversal.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious \u003ccode\u003e.apk\u003c/code\u003e file containing a \u003ccode\u003eTypeSymlink\u003c/code\u003e tar entry.\u003c/li\u003e\n\u003cli\u003eThe symbolic link\u0026rsquo;s target is set to a path outside the intended build root, potentially targeting sensitive system directories.\u003c/li\u003e\n\u003cli\u003eThe malicious \u003ccode\u003e.apk\u003c/code\u003e is processed using a vulnerable version of apko (prior to 1.2.5) via commands like \u003ccode\u003eapko build-cpio\u003c/code\u003e or through disk-backed consumers such as \u003ccode\u003emelange\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDuring tar extraction, the vulnerable \u003ccode\u003esanitizePath\u003c/code\u003e function fails to properly resolve or refuse the malicious symlink.\u003c/li\u003e\n\u003cli\u003eA subsequent directory-creation or file-write operation is initiated within the same or a later archive entry.\u003c/li\u003e\n\u003cli\u003eThe file operation traverses the previously created symbolic link, gaining access to the file system location outside the intended build root.\u003c/li\u003e\n\u003cli\u003eThe attacker can then create directories or write files to the compromised location, potentially overwriting critical system files or injecting malicious code.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation can lead to privilege escalation and persistent compromise of the host system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to write files to arbitrary locations on the host system. This can lead to privilege escalation if the attacker can overwrite setuid binaries or modify system configuration files. It can also lead to persistent compromise of the system if the attacker injects malicious code into startup scripts or other system files. While the exact number of victims is unknown, any system running a vulnerable version of apko (prior to 1.2.5) or tools embedding vulnerable versions of \u003ccode\u003epkg/apk/fs\u003c/code\u003e, such as melange, is potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade apko to version 1.2.5 or later. This version includes a fix that prevents path traversal vulnerabilities as described in the advisory and commit \u003ca href=\"https://github.com/chainguard-dev/apko/commit/f5a96e1299ac81c7ea9441705ec467688086f442\"\u003ef5a96e1\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, avoid consuming APKs from untrusted sources. However, note that this does not fully eliminate the risk.\u003c/li\u003e\n\u003cli\u003eMonitor file creation events in sensitive directories for unexpected activity, especially after processing \u003ccode\u003e.apk\u003c/code\u003e files.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-apko-path-traversal/","summary":"A symlink-following path traversal vulnerability exists in apko versions prior to 1.2.5 allowing a malicious .apk file to create a symbolic link pointing outside the build root and subsequently modify files on the host system.","title":"Apko DirFS Symlink Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-apko-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed — Symlink","version":"https://jsonfeed.org/version/1.1"}