Sleuth Kit tsk_recover Pfadüberschreitung
Plattform
linux
Komponente
sleuthkit
Behoben in
4.14.1
CVE-2026-40024 describes a path traversal vulnerability discovered in The Sleuth Kit, a popular open-source digital forensics tool. This flaw allows an attacker to write files outside the intended recovery directory by manipulating filenames within a filesystem image. Successful exploitation could lead to code execution by overwriting critical system files, impacting the integrity and security of the forensic analysis environment. The vulnerability affects versions from 0.0.0–a3f96b3bc36a8bb1a00c297f77110d4a6e7dd31b and is resolved in version 4.15.0.
Auswirkungen und Angriffsszenarien
The core impact of this path traversal vulnerability lies in its ability to bypass intended file system boundaries. An attacker can craft a malicious filesystem image containing filenames with carefully constructed /../ sequences. When The Sleuth Kit's tsk_recover function processes this image, it will incorrectly interpret these sequences, allowing the attacker to write files to locations outside the designated recovery directory. This could involve overwriting shell configuration files (e.g., .bashrc, .profile), cron entries, or other system binaries, effectively achieving remote code execution. The blast radius extends to any system running The Sleuth Kit and processing potentially malicious filesystem images, particularly in forensic analysis workflows where untrusted images are routinely handled.
Ausnutzungskontext
As of the publication date (2026-04-08), this CVE has not been added to the CISA KEV catalog. There are currently no publicly available proof-of-concept exploits, but the vulnerability's nature and the ease of crafting malicious filenames suggest a moderate probability of exploitation. The vulnerability's impact, combined with the widespread use of The Sleuth Kit in digital forensics, warrants careful attention and prompt remediation.
Wer Ist Gefährdetwird übersetzt…
Digital forensics investigators and security analysts who utilize The Sleuth Kit for analyzing filesystem images are at risk. Specifically, those using older, unpatched versions of the tool in automated workflows or environments with limited access controls are particularly vulnerable. Shared hosting environments where multiple users have access to filesystem images are also at increased risk.
Erkennungsschrittewird übersetzt…
• linux / server:
journalctl -g "tsk_recover" -u the-sleuth-kit | grep -i "path traversal"• linux / server:
lsof | grep /path/to/recovery/directory/../• linux / server:
find / -name '*..*' -print 2>/dev/nullAngriffszeitlinie
- Disclosure
disclosure
Bedrohungsanalyse
Exploit-Status
EPSS
0.03% (8% Perzentil)
CISA SSVC
CVSS-Vektor
Was bedeuten diese Metriken?
- Attack Vector
- Lokal — Angreifer benötigt eine lokale Sitzung oder Shell auf dem System.
- Attack Complexity
- Niedrig — keine besonderen Bedingungen erforderlich. Zuverlässig ausnutzbar.
- Privileges Required
- Keine — ohne Authentifizierung ausnutzbar. Keine Zugangsdaten erforderlich.
- User Interaction
- Erforderlich — Opfer muss eine Datei öffnen, auf einen Link klicken oder eine Seite besuchen.
- Scope
- Unverändert — Auswirkung auf das anfällige Komponente beschränkt.
- Confidentiality
- Hoch — vollständiger Vertraulichkeitsverlust. Angreifer kann alle Daten lesen.
- Integrity
- Hoch — Angreifer kann beliebige Daten schreiben, ändern oder löschen.
- Availability
- Keine — kein Verfügbarkeitseinfluss.
Betroffene Software
Schwachstellen-Klassifikation (CWE)
Zeitleiste
- Reserviert
- Veröffentlicht
- Geändert
- EPSS aktualisiert
Mitigation und Workarounds
The primary mitigation for CVE-2026-40024 is to upgrade to The Sleuth Kit version 4.15.0 or later, which contains the fix. If upgrading immediately is not feasible due to compatibility concerns or system downtime requirements, consider implementing temporary workarounds. One approach is to sanitize all filesystem image filenames before processing them with tskrecover, removing or escaping any /../ sequences. Additionally, restrict the permissions of the user account running tskrecover to minimize the potential impact of a successful exploit. Monitor system logs for unusual file creation activity in unexpected directories. After upgrading, confirm the fix by attempting to recover a test filesystem image with a known malicious filename containing path traversal sequences; the files should not be written outside the intended recovery directory.
So behebenwird übersetzt…
Actualizar a la versión 4.15.0 o superior para mitigar la vulnerabilidad de recorrido de ruta. La actualización corrige la forma en que tsk_recover maneja los nombres de archivo, evitando la escritura de archivos fuera del directorio de recuperación previsto. Verificar la integridad de las imágenes de sistema de archivos antes de procesarlas con tsk_recover.
CVE-Sicherheitsnewsletter
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
Häufig gestellte Fragenwird übersetzt…
What is CVE-2026-40024 — Path Traversal in The Sleuth Kit?
CVE-2026-40024 is a path traversal vulnerability in The Sleuth Kit allowing attackers to write files outside the intended recovery directory, potentially leading to code execution.
Am I affected by CVE-2026-40024 in The Sleuth Kit?
You are affected if you are using The Sleuth Kit versions 0.0.0–a3f96b3bc36a8bb1a00c297f77110d4a6e7dd31b or earlier.
How do I fix CVE-2026-40024 in The Sleuth Kit?
Upgrade to The Sleuth Kit version 4.15.0 or later to resolve the vulnerability.
Is CVE-2026-40024 being actively exploited?
As of now, there are no confirmed reports of active exploitation, but the vulnerability's nature makes it a potential target.
Where can I find the official The Sleuth Kit advisory for CVE-2026-40024?
Refer to the official The Sleuth Kit project website and security mailing lists for updates and advisories.
Ist dein Projekt betroffen?
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.