CVE-2026-41991: CWE-377: Insecure Temporary File in GNU gzip
GNU gzip contains a vulnerability in the gzexe utility related to insecure temporary file handling. When the mktemp utility is not available in the user’s PATH, gzexe falls back to constructing a temporary file path based solely on the process ID (PID). This predictable filename is created without exclusive access or existence checks. A local attacker can pre‑create the predicted temporary file path as a symbolic link pointing to an arbitrary file writable by the victim. When gzexe runs, it follows the symlink and overwrites the target file, resulting in a time‑of‑check to time‑of‑use (TOCTOU) condition that allows arbitrary file overwrite. This issue has been fixed in the commit 4e6f8b24ab823146ab8776f0b7fe486ab34d4269
AI Analysis
Technical Summary
The vulnerability in GNU gzip's gzexe utility arises from insecure temporary file creation when mktemp is not in the user's PATH. The fallback method uses a temporary filename derived solely from the process ID, which is predictable and created without exclusive access or existence checks. This enables a local attacker to pre-create a symbolic link at the expected temporary file path pointing to an arbitrary writable file. When gzexe executes, it follows the symlink and overwrites the target file, resulting in a TOCTOU condition and arbitrary file overwrite. The issue is tracked as CWE-377 and has been fixed in a specific commit (4e6f8b24ab823146ab8776f0b7fe486ab34d4269).
Potential Impact
A local attacker can exploit this vulnerability to overwrite arbitrary files writable by the victim by leveraging predictable temporary file paths and symbolic links. This can lead to unauthorized file modification. The CVSS score is low (2.0), indicating limited impact and requiring local access with high attack complexity.
Mitigation Recommendations
A fix has been committed addressing this vulnerability. However, no official patch release or vendor advisory is provided in the available data. Users should update gzip to a version including the commit 4e6f8b24ab823146ab8776f0b7fe486ab34d4269 or later once available. Until then, avoid running gzexe in environments where mktemp is unavailable or ensure mktemp is present in the PATH to prevent fallback to the insecure method.
CVE-2026-41991: CWE-377: Insecure Temporary File in GNU gzip
Description
GNU gzip contains a vulnerability in the gzexe utility related to insecure temporary file handling. When the mktemp utility is not available in the user’s PATH, gzexe falls back to constructing a temporary file path based solely on the process ID (PID). This predictable filename is created without exclusive access or existence checks. A local attacker can pre‑create the predicted temporary file path as a symbolic link pointing to an arbitrary file writable by the victim. When gzexe runs, it follows the symlink and overwrites the target file, resulting in a time‑of‑check to time‑of‑use (TOCTOU) condition that allows arbitrary file overwrite. This issue has been fixed in the commit 4e6f8b24ab823146ab8776f0b7fe486ab34d4269
CVSS v4.0
Score 2.0low
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in GNU gzip's gzexe utility arises from insecure temporary file creation when mktemp is not in the user's PATH. The fallback method uses a temporary filename derived solely from the process ID, which is predictable and created without exclusive access or existence checks. This enables a local attacker to pre-create a symbolic link at the expected temporary file path pointing to an arbitrary writable file. When gzexe executes, it follows the symlink and overwrites the target file, resulting in a TOCTOU condition and arbitrary file overwrite. The issue is tracked as CWE-377 and has been fixed in a specific commit (4e6f8b24ab823146ab8776f0b7fe486ab34d4269).
Potential Impact
A local attacker can exploit this vulnerability to overwrite arbitrary files writable by the victim by leveraging predictable temporary file paths and symbolic links. This can lead to unauthorized file modification. The CVSS score is low (2.0), indicating limited impact and requiring local access with high attack complexity.
Mitigation Recommendations
A fix has been committed addressing this vulnerability. However, no official patch release or vendor advisory is provided in the available data. Users should update gzip to a version including the commit 4e6f8b24ab823146ab8776f0b7fe486ab34d4269 or later once available. Until then, avoid running gzexe in environments where mktemp is unavailable or ensure mktemp is present in the PATH to prevent fallback to the insecure method.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- CERT-PL
- Date Reserved
- 2026-04-23T08:06:09.511Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a425fd627e9c79719d0b4f9
Added to database: 06/29/2026, 12:06:46 UTC
Last enriched: 06/29/2026, 12:21:44 UTC
Last updated: 06/29/2026, 17:31:07 UTC
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.