2463312 – (CVE-2026-7179) CVE-2026-7179 binwalk: WinCE Extraction Plugin: Binwalk WinCE Extraction Plugin: Path Traversal vulnerability

Bug 2463312 (CVE-2026-7179) - CVE-2026-7179 binwalk: WinCE Extraction Plugin: Binwalk WinCE Extraction Plugin: Path Traversal vulnerability

Summary: CVE-2026-7179 binwalk: WinCE Extraction Plugin: Binwalk WinCE Extraction Plug...

Keywords:
Status:	NEW
Alias:	CVE-2026-7179
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2463422
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-27 23:01 UTC by OSIDB Bzimport
Modified:	2026-04-28 10:52 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-27 23:01:24 UTC

A security vulnerability has been detected in OSPG binwalk up to 2.4.3. This vulnerability affects the function read_null_terminated_string of the file src/binwalk/plugins/winceextract.py of the component WinCE Extraction Plugin. Such manipulation of the argument self.file_name leads to path traversal. The attack can only be performed from a local environment. The exploit has been disclosed publicly and may be used. The project maintainer confirms this issue: "I accept the existence of the Path Traversal vulnerability. However, as stated in the Github link, it reached EOL and as a result no actions should be expected." The GitHub repository mentions, that "[u]sers and contributors should migrate to binwalk v3." This vulnerability only affects products that are no longer supported by the maintainer.

Note You need to log in before you can comment on or make changes to this bug.