CVE-2026-24846 is a path traversal vulnerability classified under CWE-22 and CWE-683 affecting the malcontent tool developed by chainguard-dev, specifically in versions from 1.8.0 up to but not including 1.20.3. Malcontent is used to detect supply-chain compromises by analyzing archive contents such as tar or deb packages. The vulnerability stems from a programming error in the handleSymlink function, where the arguments were passed in the wrong order. This caused the symlink target path to be incorrectly used as the location where the symlink is created. Furthermore, the software did not validate whether the symlink target resolved within the intended extraction directory, allowing crafted archives to create symlinks pointing outside this directory. This improper limitation of pathname enables an attacker to place symlinks arbitrarily on the filesystem, potentially overwriting or modifying critical files when the archive is extracted. The vulnerability requires local access and user interaction to trigger, as the user must scan a maliciously crafted archive. The CVSS v3.1 base score is 5.5 (medium), reflecting limited attack vector (local), low complexity, no privileges required, but requiring user interaction. The fix implemented in version 1.20.3 corrects the argument order in handleSymlink and adds validation to ensure symlink locations and targets remain within the extraction directory, mitigating the path traversal risk. No public exploits are known at this time, but the vulnerability poses a risk to the integrity of systems relying on malcontent for supply chain security analysis.

For European organizations, this vulnerability could undermine the integrity of supply chain security processes by allowing attackers to manipulate files outside the intended extraction scope during archive scanning. This could lead to unauthorized modification of system or application files, potentially enabling further compromise or evasion of detection. Organizations relying on malcontent in automated pipelines or security workflows may face risks of corrupted analysis results or compromised environments. Although the attack requires local access and user interaction, insider threats or social engineering could facilitate exploitation. The impact is primarily on data integrity rather than confidentiality or availability. Given the increasing reliance on supply chain security tools in Europe, especially in critical infrastructure and technology sectors, this vulnerability could have cascading effects if exploited. Prompt patching is essential to maintain trust in software supply chain verification processes.

European organizations should immediately upgrade malcontent to version 1.20.3 or later, where the vulnerability is fixed. Until upgrading, restrict access to systems running vulnerable versions to trusted users only and avoid scanning untrusted or suspicious archives. Implement strict input validation and sandboxing around archive extraction processes to limit filesystem access. Employ monitoring to detect unusual symlink creation or file modifications outside expected directories. Incorporate user training to reduce the risk of opening malicious archives. For organizations using malcontent in automated CI/CD pipelines, ensure pipeline agents run with least privilege and isolated environments to contain potential exploitation. Regularly review supply chain security tools for updates and vulnerabilities to maintain a robust defense posture.