Bug 2487233 (CVE-2026-53476) - CVE-2026-53476 assisted-migration-agent: VDDK Tarball Chained-Symlink Arbitrary File Write
Summary: CVE-2026-53476 assisted-migration-agent: VDDK Tarball Chained-Symlink Arbitra...
Keywords:
Status: NEW
Alias: CVE-2026-53476
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-09 18:37 UTC by OSIDB Bzimport
Modified: 2026-06-10 13:52 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-09 18:37:44 UTC 
Repository: assisted-migration-agent  
Priority: High  
Location: internal/services/vddk.go:173

Description:  
The PUT /inspector/vddk endpoint accepts gzip'd tarballs and extracts them with a custom extractTarGz() function. The extractor's path traversal protection uses lexical checks (filepath.Clean + HasPrefix) that don't resolve symlinks already on disk. An attacker can craft a tarball that first plants a/x → .. (passes lexical validation), then writes a/x/y/... which actually lands at dest/../y/... because os.Create follows the live symlink. This can be chained to write to root /.

Security Impact:  

Unauthenticated LAN-adjacent clients can write arbitrary files as UID 1001

Writable targets include /var/lib/agent/ config and /app/.cache

Direct path to persistent code execution on appliance with vCenter admin credentials

Fix Suggestion:  
Before creating each entry, resolve the entry's parent directory with filepath.EvalSymlinks and re-verify the resolved path is still inside destDir. Do not drop symlink support entirely as legitimate VDDK tarballs contain .so version symlinks. See patches/f001.patch for implementation.
Note You need to log in before you can comment on or make changes to this bug.