Bug 2494559 - CVE-2026-41991 gzip: gzip: Arbitrary file overwrite via insecure temporary file handling in gzexe utility [fedora-all]
Summary: CVE-2026-41991 gzip: gzip: Arbitrary file overwrite via insecure temporary fi...
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: gzip
Version: rawhide
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Jakub Martisko
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: {"flaws": ["ccb94f6f-871e-4a60-90f6-5...
Depends On:
Blocks: CVE-2026-41991
TreeView+ depends on / blocked
 
Reported: 2026-06-29 18:00 UTC by Jon Weiser
Modified: 2026-06-29 18:00 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Jon Weiser 2026-06-29 18:00:24 UTC
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.

GNU gzip contains a vulnerability in the gzexe utility related to insecure temporary file handling. When the mktemp utility is not available in the user’s PATH, gzexe falls back to constructing a temporary file path based solely on the process ID (PID). This predictable filename is created without exclusive access or existence checks.
A local attacker can pre‑create the predicted temporary file path as a symbolic link pointing to an arbitrary file writable by the victim. When gzexe runs, it follows the symlink and overwrites the target file, resulting in a time‑of‑check to time‑of‑use (TOCTOU) condition that allows arbitrary file overwrite.

This issue has been fixed in the commit 4e6f8b24ab823146ab8776f0b7fe486ab34d4269


Note You need to log in before you can comment on or make changes to this bug.