2432490 – (CVE-2026-1386) CVE-2026-1386 firecracker: Firecracker jailer: Arbitrary file overwrite via symlink attack

Bug 2432490 (CVE-2026-1386) - CVE-2026-1386 firecracker: Firecracker jailer: Arbitrary file overwrite via symlink attack

Summary: CVE-2026-1386 firecracker: Firecracker jailer: Arbitrary file overwrite via s...

Keywords:
Status:	NEW
Alias:	CVE-2026-1386
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2433157 2433158
Blocks:
TreeView+	depends on / blocked

Reported:	2026-01-23 21:01 UTC by OSIDB Bzimport
Modified:	2026-01-27 04:59 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-01-23 21:01:45 UTC

A UNIX symbolic link following issue in the jailer component in Firecracker version  v1.13.1 and earlier and 1.14.0 on Linux may allow a local host user with write access to the pre-created jailer directories to overwrite arbitrary host files via a symlink attack during the initialization copy at jailer startup, if the jailer is executed with root privileges. 

To mitigate this issue, users should upgrade to version v1.13.2 or 1.14.1 or above.

Note You need to log in before you can comment on or make changes to this bug.