CVE-2026-44604: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in Red Hat Pen Drive Powered by Red Hat Lightspeed
A command injection vulnerability was discovered in the `rpmuncompress` utility of RPM. When extracting certain archive formats (ZIP, 7z, GEM) to a specified destination directory, the tool inserts the archive's top-level folder name into a shell command without properly sanitizing it. A specially crafted archive containing shell metacharacters in its folder name can execute arbitrary commands as the user running the extraction.
AI Analysis
Technical Summary
The rpmuncompress utility in RPM, part of Red Hat Pen Drive Powered by Red Hat Lightspeed, improperly neutralizes special elements in the top-level folder name of certain archive formats (ZIP, 7z, GEM) during extraction. This lack of sanitization allows an attacker to craft an archive with shell metacharacters in the folder name, resulting in OS command injection. The vulnerability is identified as CVE-2026-44604 with a CVSS 3.1 base score of 7.0, indicating high impact on confidentiality, integrity, and availability. The vendor advisory does not currently specify any patch or remediation, and no known exploits are reported in the wild.
Potential Impact
Successful exploitation allows arbitrary command execution as the user performing the extraction, potentially leading to full compromise of the affected system's confidentiality, integrity, and availability. The vulnerability affects local users who can supply crafted archives to the rpmuncompress utility. There is no indication of remote exploitation or exploitation in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-44604 for current remediation guidance. Until a fix is available, avoid extracting untrusted archives with rpmuncompress or perform extraction in a restricted environment with minimal privileges to limit potential impact.
CVE-2026-44604: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in Red Hat Pen Drive Powered by Red Hat Lightspeed
Description
A command injection vulnerability was discovered in the `rpmuncompress` utility of RPM. When extracting certain archive formats (ZIP, 7z, GEM) to a specified destination directory, the tool inserts the archive's top-level folder name into a shell command without properly sanitizing it. A specially crafted archive containing shell metacharacters in its folder name can execute arbitrary commands as the user running the extraction.
CVSS v3.1
Score 7.0high
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The rpmuncompress utility in RPM, part of Red Hat Pen Drive Powered by Red Hat Lightspeed, improperly neutralizes special elements in the top-level folder name of certain archive formats (ZIP, 7z, GEM) during extraction. This lack of sanitization allows an attacker to craft an archive with shell metacharacters in the folder name, resulting in OS command injection. The vulnerability is identified as CVE-2026-44604 with a CVSS 3.1 base score of 7.0, indicating high impact on confidentiality, integrity, and availability. The vendor advisory does not currently specify any patch or remediation, and no known exploits are reported in the wild.
Potential Impact
Successful exploitation allows arbitrary command execution as the user performing the extraction, potentially leading to full compromise of the affected system's confidentiality, integrity, and availability. The vulnerability affects local users who can supply crafted archives to the rpmuncompress utility. There is no indication of remote exploitation or exploitation in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-44604 for current remediation guidance. Until a fix is available, avoid extracting untrusted archives with rpmuncompress or perform extraction in a restricted environment with minimal privileges to limit potential impact.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- redhat
- Date Reserved
- 2026-05-07T03:57:03.811Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://access.redhat.com/security/cve/CVE-2026-44604","vendor":"Red Hat"}]
Threat ID: 6a17efcce29bf47b50bb74d7
Added to database: 5/28/2026, 7:33:32 AM
Last enriched: 5/28/2026, 7:48:50 AM
Last updated: 5/29/2026, 3:42:52 PM
Views: 22
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.