Bug 2431959 (CVE-2026-24049) - CVE-2026-24049 wheel: wheel: Privilege Escalation or Arbitrary Code Execution via malicious wheel file unpacking
Summary: CVE-2026-24049 wheel: wheel: Privilege Escalation or Arbitrary Code Execution...
Keywords:
Status: NEW
Alias: CVE-2026-24049
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2432088 2432089 2432092 2432093 2432094 2432102 2432103 2432104 2432087 2432090 2432091 2432095 2432096 2432097 2432098 2432099 2432100 2432101 2432105 2432106 2432107 2432108 2432109 2432110 2432111
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-01-22 05:01 UTC by OSIDB Bzimport
Modified: 2026-03-06 10:55 UTC (History)
107 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2026:1902 0 None None None 2026-02-04 11:55:31 UTC
Red Hat Product Errata RHSA-2026:1939 0 None None None 2026-02-04 19:25:17 UTC
Red Hat Product Errata RHSA-2026:2090 0 None None None 2026-02-05 13:19:12 UTC
Red Hat Product Errata RHSA-2026:2710 0 None None None 2026-02-16 10:41:45 UTC
Red Hat Product Errata RHSA-2026:2823 0 None None None 2026-02-17 15:36:03 UTC
Red Hat Product Errata RHSA-2026:2865 0 None None None 2026-02-18 01:49:27 UTC
Red Hat Product Errata RHSA-2026:2866 0 None None None 2026-02-18 02:18:23 UTC
Red Hat Product Errata RHSA-2026:3958 0 None None None 2026-03-06 10:13:20 UTC
Red Hat Product Errata RHSA-2026:3959 0 None None None 2026-03-06 10:55:38 UTC

Description OSIDB Bzimport 2026-01-22 05:01:19 UTC 
wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.46.1 and below, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2.
Comment 1 errata-xmlrpc 2026-02-04 11:55:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:1902 https://access.redhat.com/errata/RHSA-2026:1902
Comment 2 errata-xmlrpc 2026-02-04 19:25:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:1939 https://access.redhat.com/errata/RHSA-2026:1939
Comment 3 errata-xmlrpc 2026-02-05 13:19:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:2090 https://access.redhat.com/errata/RHSA-2026:2090
Comment 4 errata-xmlrpc 2026-02-16 10:41:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:2710 https://access.redhat.com/errata/RHSA-2026:2710
Comment 5 errata-xmlrpc 2026-02-17 15:35:55 UTC 
This issue has been addressed in the following products:

  Discovery 2 for RHEL 10
  Discovery 2 for RHEL 8
  Discovery 2 for RHEL 9

Via RHSA-2026:2823 https://access.redhat.com/errata/RHSA-2026:2823
Comment 6 errata-xmlrpc 2026-02-18 01:49:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:2865 https://access.redhat.com/errata/RHSA-2026:2865
Comment 7 errata-xmlrpc 2026-02-18 02:18:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:2866 https://access.redhat.com/errata/RHSA-2026:2866
Comment 8 errata-xmlrpc 2026-03-06 10:13:12 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.6 for RHEL 9
  Red Hat Ansible Automation Platform 2.6 for RHEL 10

Via RHSA-2026:3958 https://access.redhat.com/errata/RHSA-2026:3958
Comment 9 errata-xmlrpc 2026-03-06 10:55:30 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.5 for RHEL 8
  Red Hat Ansible Automation Platform 2.5 for RHEL 9

Via RHSA-2026:3959 https://access.redhat.com/errata/RHSA-2026:3959
Note You need to log in before you can comment on or make changes to this bug.