CVE-2026-46607

NameCVE-2026-46607
DescriptionGlances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, glances/outdated.py uses pickle.load() to read a version-check cache file stored at a predictable, world-accessible path (~/.cache/glances/glances-version.db or $XDG_CACHE_HOME/glances/glances-version.db). No integrity check, signature verification, or format validation is performed before deserialization. An attacker with write access to that path — through any of several realistic local or container-level scenarios — can plant a malicious pickle file and achieve arbitrary code execution as the OS user running Glances the next time it starts with version checking enabled (the default). This vulnerability is fixed in 4.5.5.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
glances (PTS)bookworm3.3.1.1+dfsg-1vulnerable
trixie4.3.1+dfsg-1vulnerable
forky, sid4.5.5+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
glancessource(unstable)4.5.5+dfsg-1

Notes

[trixie] - glances <no-dsa> (Minor issue)
https://github.com/nicolargo/glances/security/advisories/GHSA-9837-48hr-q32j

Search for package or bug name: Reporting problems