CVE-2026-41991
MEDIUMDescription
GNU gzip contains a vulnerability in the gzexe utility related to insecure temporary file handling. When the mktemp utility is not available in the user’s PATH, gzexe falls back to constructing a temporary file path based solely on the process ID (PID). This predictable filename is created without exclusive access or existence checks. A local attacker can pre‑create the predicted temporary file path as a symbolic link pointing to an arbitrary file writable by the victim. When gzexe runs, it follows the symlink and overwrites the target file, resulting in a time‑of‑check to time‑of‑use (TOCTOU) condition that allows arbitrary file overwrite. This issue has been fixed in the commit 4e6f8b24ab823146ab8776f0b7fe486ab34d4269
CVSS v3.1 Score
EPSS — Exploit Prediction
EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| gnu | gzip |
References
Frequently Asked Questions
What is CVE-2026-41991? +
How severe is CVE-2026-41991? +
What products are affected by CVE-2026-41991? +
How do I check if I'm vulnerable to CVE-2026-41991? +
Related Vulnerabilities
Insecure creation of temporary files allows local users on systems with non-default configurations to cause denial of service or set …
Products for macOS enables a user logged on to the system to perform a denial-of-service attack, which could be misused …
An insecure temporary file creation vulnerability exists in the AutoExtract component of Robocode version 1.9.3.6. The createTempFile method fails to …
Dell Alienware Command Center 6.x (AWCC), versions prior to 6.10.15.0, contains an Insecure Temporary File vulnerability. A low privileged attacker …
Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 25.1.102 and Application versions prior to 25.1.1413 (Windows client deployments) …
The llama_index library version 0.12.33 sets the NLTK data directory to a subdirectory of the codebase by default, which is …