CVE-2026-44604 PUBLISHED

Rpm: command injection in rpmuncompress dountar() via unescaped archive top-level directory name in popen() shell command

Assigner: redhat
Reserved: 07.05.2026 Published: 28.05.2026 Updated: 28.05.2026

A command injection vulnerability was discovered in the rpmuncompress utility of RPM. When extracting certain archive formats (ZIP, 7z, GEM) to a specified destination directory, the tool inserts the archive's top-level folder name into a shell command without properly sanitizing it. A specially crafted archive containing shell metacharacters in its folder name can execute arbitrary commands as the user running the extraction.

Metrics

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS Score: 7

Product Status

Vendor Red Hat
Product Pen Drive Powered by Red Hat Lightspeed
Versions Default: unknown
Vendor Red Hat
Product Red Hat build of Quarkus Native builder
Versions Default: unknown
Vendor Red Hat
Product Red Hat Enterprise Linux 10
Versions Default: unknown
Vendor Red Hat
Product Red Hat Enterprise Linux 10
Versions Default: unknown
Vendor Red Hat
Product Red Hat Enterprise Linux 6
Versions Default: unknown
Vendor Red Hat
Product Red Hat Enterprise Linux 7
Versions Default: unknown
Vendor Red Hat
Product Red Hat Enterprise Linux 8
Versions Default: unknown
Vendor Red Hat
Product Red Hat Enterprise Linux 9
Versions Default: unknown
Vendor Red Hat
Product Red Hat Enterprise Linux 9
Versions Default: unknown
Vendor Red Hat
Product Red Hat Hardened Images
Versions Default: unknown
Vendor Red Hat
Product Red Hat OpenShift Container Platform 4
Versions Default: unknown
Vendor Red Hat
Product Red Hat Satellite 6
Versions Default: unknown
Vendor Red Hat
Product Red Hat Satellite 6
Versions Default: unknown
Vendor Red Hat
Product Red Hat Satellite 6
Versions Default: unknown

References

Problem Types

  • Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE