Bug 2494105 - CVE-2026-57966 spice-vdagent: Path traversal in file transfer via unsanitized filename [fedora-all]
Summary: CVE-2026-57966 spice-vdagent: Path traversal in file transfer via unsanitized...
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: spice-vdagent
Version: rawhide
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Christophe Fergeau
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: {"flaws": ["1eea3a03-45a6-4e77-aa98-9...
Depends On:
Blocks: CVE-2026-57966
TreeView+ depends on / blocked
 
Reported: 2026-06-29 07:56 UTC by Mauro Matteo Cascella
Modified: 2026-06-29 07:56 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Mauro Matteo Cascella 2026-06-29 07:56:28 UTC
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.

A path traversal vulnerability was found in spice-vdagent. In src/vdagent/file-xfers.c, the filename received from the SPICE host in file transfer metadata is used directly in g_build_filename() without any sanitization (file-xfers.c:138-139, 190). The g_build_filename() function has documented behavior where if the second argument is an absolute path (starts with '/'), the first argument (save_dir) is silently discarded. Additionally, '..' components in relative paths are not stripped, enabling directory traversal.

This allows a malicious SPICE host to write arbitrary files at arbitrary paths on the guest filesystem, with the privileges of the spice-vdagent process (typically the logged-in user).

Note: this is distinct from CVE-2017-15108, which was about unescaped save_dir passed to system() (command injection, CWE-78). This finding concerns the file name parameter not being sanitized for path traversal (CWE-22) — different input variable, different vulnerability class. Exploitation requires a malicious or compromised SPICE host.


Note You need to log in before you can comment on or make changes to this bug.