CVE-2026-44604: rpmuncompress Command Injection W/O Sanitization
CVE-2026-44604 Published on May 28, 2026
Rpm: command injection in rpmuncompress dountar() via unescaped archive top-level directory name in popen() shell command
A command injection vulnerability was discovered in the `rpmuncompress` utility of RPM. When extracting certain archive formats (ZIP, 7z, GEM) to a specified destination directory, the tool inserts the archive's top-level folder name into a shell command without properly sanitizing it. A specially crafted archive containing shell metacharacters in its folder name can execute arbitrary commands as the user running the extraction.
Vulnerability Analysis
CVE-2026-44604 is exploitable with local system access, requires user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Timeline
Reported to Red Hat.
Made public. 35 days later.
Weakness Type
What is a Shell injection Vulnerability?
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CVE-2026-44604 has been classified to as a Shell injection vulnerability or weakness.
Products Associated with CVE-2026-44604
Want to know whenever a new CVE is published for Red Hat products? stack.watch will email you.
