Bug 2431959 (CVE-2026-24049) - CVE-2026-24049 wheel: wheel: Privilege Escalation or Arbitrary Code Execution via malicious wheel file unpacking
Summary: CVE-2026-24049 wheel: wheel: Privilege Escalation or Arbitrary Code Execution...
Keywords:
Status: NEW
Alias: CVE-2026-24049
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2432087 2432088 2432089 2432090 2432091 2432092 2432093 2432094 2432100 2432101 2432102 2432103 2432104 2432110 2432111 2432095 2432096 2432097 2432098 2432099 2432105 2432106 2432107 2432108 2432109
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-01-22 05:01 UTC by OSIDB Bzimport
Modified: 2026-01-22 20:58 UTC (History)
104 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-01-22 05:01:19 UTC 
wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.46.1 and below, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2.
Note You need to log in before you can comment on or make changes to this bug.