VDB
RHSA-2026%3A7250
RHSA-2026%3A7250
PUBLISHED
CVSS 7.099999904632568 HIGH
A path traversal flaw has been discovered in the python wheel too. The unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts.
Risk Scores
CVSS 3.1
7.099999904632568
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | registry.redhat.io/openshift4/ose-ptp-rhel9-operator@sha256:a9026a5457c09e591e136ce6c6ad7bc49bb4845b96efad280483072186a6c360_amd64 as a component of Red Hat OpenShift Container Platform 4.19 | *, registry.redhat.io/openshift4/ose-ptp-rhel9-operator@sha256:a9026a5457c09e591e136ce6c6ad7bc49bb4845b96efad280483072186a6c360_amd64 |
| Red Hat | registry.redhat.io/openshift4/ose-dpu-cni-rhel9@sha256:02656088e03623d8aa6815ae8c9e8ea7c582bbc179d104dff1e15f2a2901631c_arm64 as a component of Red Hat OpenShift Container Platform 4.19 | *, registry.redhat.io/openshift4/ose-dpu-cni-rhel9@sha256:02656088e03623d8aa6815ae8c9e8ea7c582bbc179d104dff1e15f2a2901631c_arm64 |
| Red Hat | registry.redhat.io/openshift4/ose-cluster-capacity-rhel9@sha256:7a10d4b09834bf62b7d8e9bf9d0bf615d431ced66bec314a4346bda73e6d77d7_arm64 as a component of Red Hat OpenShift Container Platform 4.19 | *, registry.redhat.io/openshift4/ose-cluster-capacity-rhel9@sha256:7a10d4b09834bf62b7d8e9bf9d0bf615d431ced66bec314a4346bda73e6d77d7_arm64 |
| Red Hat | registry.redhat.io/openshift4/ose-vertical-pod-autoscaler-rhel9@sha256:0d5e7a756266f2e2a008318d2903d1dc83e46ad9f163ab443c0ea2666e8e10b8_ppc64le as a component of Red Hat OpenShift Container Platform 4.19 | *, registry.redhat.io/openshift4/ose-vertical-pod-autoscaler-rhel9@sha256:0d5e7a756266f2e2a008318d2903d1dc83e46ad9f163ab443c0ea2666e8e10b8_ppc64le |
| Red Hat | registry.redhat.io/openshift4/ose-local-storage-rhel9-operator@sha256:cf5320c6644e505b447c6a173b16d1dd729e873419f28bea969cbd4e4bec4c1f_arm64 as a component of Red Hat OpenShift Container Platform 4.19 | registry.redhat.io/openshift4/ose-local-storage-rhel9-operator@sha256:cf5320c6644e505b447c6a173b16d1dd729e873419f28bea969cbd4e4bec4c1f_arm64, * |
| Red Hat | registry.redhat.io/openshift4/ose-secrets-store-csi-driver-rhel9-operator@sha256:46dbd254c70365e6da64a177e288f47fa9e5aad011ca4d09dbac6e36dd0b93cd_amd64 as a component of Red Hat OpenShift Container Platform 4.19 | *, * |
| Red Hat | registry.redhat.io/openshift4/ingress-node-firewall-rhel9-operator@sha256:28fecd246e829e7d1f27cebcf1d061bb2fe4e811cb20032a34d27355f5eafead_s390x as a component of Red Hat OpenShift Container Platform 4.19 | *, * |
| Red Hat | registry.redhat.io/openshift4/ose-smb-csi-driver-rhel9@sha256:cf6d95a9041cf5318aff274390e83cc7c2c6361d651111dc21b1d02bc7e14cd7_s390x as a component of Red Hat OpenShift Container Platform 4.19 | registry.redhat.io/openshift4/ose-smb-csi-driver-rhel9@sha256:cf6d95a9041cf5318aff274390e83cc7c2c6361d651111dc21b1d02bc7e14cd7_s390x, * |
| Red Hat | registry.redhat.io/openshift4/ose-smb-csi-driver-rhel9@sha256:9ada2323ff51455c3399c0f760f53540421de0459c9dfd5b027614300bc983d9_ppc64le as a component of Red Hat OpenShift Container Platform 4.19 | registry.redhat.io/openshift4/ose-smb-csi-driver-rhel9@sha256:9ada2323ff51455c3399c0f760f53540421de0459c9dfd5b027614300bc983d9_ppc64le, * |
| Red Hat | registry.redhat.io/openshift4/metallb-rhel9-operator@sha256:0a8fcdb4ad3df99ff628fdc4956d7177638327db77627709990a717d24537fdd_ppc64le as a component of Red Hat OpenShift Container Platform 4.19 | registry.redhat.io/openshift4/metallb-rhel9-operator@sha256:0a8fcdb4ad3df99ff628fdc4956d7177638327db77627709990a717d24537fdd_ppc64le, * |
| Red Hat | registry.redhat.io/openshift4/ose-sriov-infiniband-cni-rhel9@sha256:0812a336f2ca50c440014e3e74c6dd94b5c9b1fd7e99b760cfb2c083ff48422e_amd64 as a component of Red Hat OpenShift Container Platform 4.19 | registry.redhat.io/openshift4/ose-sriov-infiniband-cni-rhel9@sha256:0812a336f2ca50c440014e3e74c6dd94b5c9b1fd7e99b760cfb2c083ff48422e_amd64, * |
| Red Hat | registry.redhat.io/openshift4/ose-cloud-event-proxy-rhel9@sha256:99d875172765c907b4335079f3ed3c90ce65c573e531dfb6c45f05ae1812d81c_arm64 as a component of Red Hat OpenShift Container Platform 4.19 | registry.redhat.io/openshift4/ose-cloud-event-proxy-rhel9@sha256:99d875172765c907b4335079f3ed3c90ce65c573e531dfb6c45f05ae1812d81c_arm64, * |
| Red Hat | registry.redhat.io/openshift4/ose-dpu-cni-rhel9@sha256:ef21b9b7819a3215f8221fd1d93ef18d635314702132f47facc1a26e6bade7dc_amd64 as a component of Red Hat OpenShift Container Platform 4.19 | *, * |
| Red Hat | registry.redhat.io/openshift4/ose-secrets-store-csi-driver-rhel9-operator@sha256:fd28fd5888dfbb8918dd3c1ca2decfe563a34c1d9e22c2ab9c793093113c6d70_ppc64le as a component of Red Hat OpenShift Container Platform 4.19 | *, registry.redhat.io/openshift4/ose-secrets-store-csi-driver-rhel9-operator@sha256:fd28fd5888dfbb8918dd3c1ca2decfe563a34c1d9e22c2ab9c793093113c6d70_ppc64le |
| Red Hat | registry.redhat.io/openshift4/ose-secrets-store-csi-driver-rhel9@sha256:b27f96de7c14947404bb99468396a81a26cb2913f00e875a07498daba159bbac_ppc64le as a component of Red Hat OpenShift Container Platform 4.19 | registry.redhat.io/openshift4/ose-secrets-store-csi-driver-rhel9@sha256:b27f96de7c14947404bb99468396a81a26cb2913f00e875a07498daba159bbac_ppc64le, * |
| Red Hat | registry.redhat.io/openshift4/ose-node-feature-discovery-rhel9@sha256:bc8fc680c7700a5ce95e285a8b420d305177b8e206bb8a6cc145cf33747bc070_s390x as a component of Red Hat OpenShift Container Platform 4.19 | *, registry.redhat.io/openshift4/ose-node-feature-discovery-rhel9@sha256:bc8fc680c7700a5ce95e285a8b420d305177b8e206bb8a6cc145cf33747bc070_s390x |
| Red Hat | registry.redhat.io/openshift4/ose-sriov-network-webhook-rhel9@sha256:4c35add8f745dbda9aae0fefd18ed61266ad546e4c6fd6441a76b107c3c577ec_arm64 as a component of Red Hat OpenShift Container Platform 4.19 | *, * |
| Red Hat | registry.redhat.io/openshift4/sriov-cni-rhel9@sha256:af9af14d62c165ac51e172586c6723a8cbd3fe6220dcd3f4ea5ecdd66eb731b7_arm64 as a component of Red Hat OpenShift Container Platform 4.19 | *, * |
| Red Hat | registry.redhat.io/openshift4/pf-status-relay-rhel9-operator@sha256:621efd9b234286cc10b6dc2deeffd2bc1f13ea115556120975c9ef7a00eb8618_ppc64le as a component of Red Hat OpenShift Container Platform 4.19 | *, registry.redhat.io/openshift4/pf-status-relay-rhel9-operator@sha256:621efd9b234286cc10b6dc2deeffd2bc1f13ea115556120975c9ef7a00eb8618_ppc64le |
| Red Hat | registry.redhat.io/openshift4/ose-gcp-filestore-csi-driver-rhel9@sha256:9c6db0ed94e881535e9addf1e6a12c0215c5ccb4a8592cee3cac43706cddabdd_ppc64le as a component of Red Hat OpenShift Container Platform 4.19 | *, registry.redhat.io/openshift4/ose-gcp-filestore-csi-driver-rhel9@sha256:9c6db0ed94e881535e9addf1e6a12c0215c5ccb4a8592cee3cac43706cddabdd_ppc64le |
…and 165 more
Timeline
- Apr 16, 2026 CVE Published
- May 5, 2026 Distribution Patch
- May 5, 2026 Distribution Patch
- May 5, 2026 Security Advisory
- May 5, 2026 Security Advisory
- May 13, 2026 CVE Updated
References
- https://access.redhat.com/errata/RHSA-2026:7250 advisory
- https://access.redhat.com/security/cve/CVE-2026-24049 advisory
- https://access.redhat.com/security/updates/classification/ advisory
- https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_7250.json advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2431959 issue
- https://www.cve.org/CVERecord?id=CVE-2026-24049 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-24049 advisory
- https://github.com/pypa/wheel/commit/7a7d2de96b22a9adf9208afcc9547e1001569fef advisory
- https://github.com/pypa/wheel/releases/tag/0.46.2 advisory
- https://github.com/pypa/wheel/security/advisories/GHSA-8rrh-rw8j-w5fx advisory