CVE-2026-40024

NameCVE-2026-40024
DescriptionThe Sleuth Kit through 4.14.0 contains a path traversal vulnerability in tsk_recover that allows an attacker to write files to arbitrary locations outside the intended recovery directory via crafted filenames or directory paths with path traversal sequences in a filesystem image. An attacker can craft a malicious filesystem image with embedded /../ sequences in filenames that, when processed by tsk_recover, writes files outside the output directory, potentially achieving code execution by overwriting shell configuration or cron entries.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1133073

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
sleuthkit (PTS)bullseye4.10.1+dfsg-1vulnerable
bookworm4.11.1+dfsg-1vulnerable
trixie4.12.1+dfsg-3vulnerable
forky, sid4.14.0+dfsg-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
sleuthkitsource(unstable)(unfixed)1133073

Notes

[trixie] - sleuthkit <no-dsa> (Minor issue)
[bookworm] - sleuthkit <no-dsa> (Minor issue)
https://github.com/sleuthkit/sleuthkit/commit/a3f96b3bc36a8bb1a00c297f77110d4a6e7dd31b
Search for package or bug name: Reporting problems