GNU gzip gzexe TOCTOU File Overwrite via Symlink
CVE-2026-41991 Published on June 29, 2026

Predictable Temporary File in GNU gzip
GNU gzip contains a vulnerability in the gzexe utility related to insecure temporary file handling. When the mktemp utility is not available in the users PATH, gzexe falls back to constructing a temporary file path based solely on the process ID (PID). This predictable filename is created without exclusive access or existence checks. A local attacker can precreate the predicted temporary file path as a symbolic link pointing to an arbitrary file writable by the victim. When gzexe runs, it follows the symlink and overwrites the target file, resulting in a timeofcheck to timeofuse (TOCTOU) condition that allows arbitrary file overwrite. This issue has been fixed in the commit 4e6f8b24ab823146ab8776f0b7fe486ab34d4269

NVD

Weakness Type

Insecure Temporary File

Creating and using insecure temporary files can leave application and system data vulnerable to attack.


Products Associated with CVE-2026-41991

Want to know whenever a new CVE is published for GNU Gzip? stack.watch will email you.

 

Affected Versions

GNU gzip: