Bug 2494158 (CVE-2026-41991)

Summary: CVE-2026-41991 gzip: gzip: Arbitrary file overwrite via insecure temporary file handling in gzexe utility
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: gtanzill, jbuscemi, jmitchel, kshier, pbohmill, rhel-process-autobot, sdawley, teagle, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the `gzexe` utility of GNU `gzip`. When the `mktemp` utility is not available, `gzexe` creates temporary files with predictable names based on the process ID. A local attacker can exploit this by pre-creating a symbolic link to an arbitrary file at the predicted temporary file path. This can lead to a Time-of-Check to Time-of-Use (TOCTOU) condition, allowing the attacker to overwrite arbitrary files on the system.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2494559    
Bug Blocks:    

Description OSIDB Bzimport 2026-06-29 12:01:29 UTC
GNU gzip contains a vulnerability in the gzexe utility related to insecure temporary file handling. When the mktemp utility is not available in the user’s PATH, gzexe falls back to constructing a temporary file path based solely on the process ID (PID). This predictable filename is created without exclusive access or existence checks.
A local attacker can pre‑create the predicted temporary file path as a symbolic link pointing to an arbitrary file writable by the victim. When gzexe runs, it follows the symlink and overwrites the target file, resulting in a time‑of‑check to time‑of‑use (TOCTOU) condition that allows arbitrary file overwrite.

This issue has been fixed in the commit 4e6f8b24ab823146ab8776f0b7fe486ab34d4269