2494158 – (CVE-2026-41991) CVE-2026-41991 gzip: gzip: Arbitrary file overwrite via insecure temporary file handling in gzexe utility

Bug 2494158 (CVE-2026-41991) - CVE-2026-41991 gzip: gzip: Arbitrary file overwrite via insecure temporary file handling in gzexe utility

Summary: CVE-2026-41991 gzip: gzip: Arbitrary file overwrite via insecure temporary fi...

Keywords:
Status:	NEW
Alias:	CVE-2026-41991
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2494559
Blocks:
TreeView+	depends on / blocked

Reported:	2026-06-29 12:01 UTC by OSIDB Bzimport
Modified:	2026-06-29 18:00 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-06-29 12:01:29 UTC

GNU gzip contains a vulnerability in the gzexe utility related to insecure temporary file handling. When the mktemp utility is not available in the user’s PATH, gzexe falls back to constructing a temporary file path based solely on the process ID (PID). This predictable filename is created without exclusive access or existence checks.
A local attacker can pre‑create the predicted temporary file path as a symbolic link pointing to an arbitrary file writable by the victim. When gzexe runs, it follows the symlink and overwrites the target file, resulting in a time‑of‑check to time‑of‑use (TOCTOU) condition that allows arbitrary file overwrite.

This issue has been fixed in the commit 4e6f8b24ab823146ab8776f0b7fe486ab34d4269

Note You need to log in before you can comment on or make changes to this bug.