Plattform
linux
Komponente
sleuthkit
Behoben in
4.14.1
CVE-2026-40024 describes a path traversal vulnerability discovered in The Sleuth Kit, a popular open-source digital forensics tool. This flaw allows an attacker to write files outside the intended recovery directory by manipulating filenames within a filesystem image. Successful exploitation could lead to code execution by overwriting critical system files, impacting the integrity and security of the forensic analysis environment. The vulnerability affects versions from 0.0.0–a3f96b3bc36a8bb1a00c297f77110d4a6e7dd31b and is resolved in version 4.15.0.
The core impact of this path traversal vulnerability lies in its ability to bypass intended file system boundaries. An attacker can craft a malicious filesystem image containing filenames with carefully constructed /../ sequences. When The Sleuth Kit's tsk_recover function processes this image, it will incorrectly interpret these sequences, allowing the attacker to write files to locations outside the designated recovery directory. This could involve overwriting shell configuration files (e.g., .bashrc, .profile), cron entries, or other system binaries, effectively achieving remote code execution. The blast radius extends to any system running The Sleuth Kit and processing potentially malicious filesystem images, particularly in forensic analysis workflows where untrusted images are routinely handled.
As of the publication date (2026-04-08), this CVE has not been added to the CISA KEV catalog. There are currently no publicly available proof-of-concept exploits, but the vulnerability's nature and the ease of crafting malicious filenames suggest a moderate probability of exploitation. The vulnerability's impact, combined with the widespread use of The Sleuth Kit in digital forensics, warrants careful attention and prompt remediation.
Digital forensics investigators and security analysts who utilize The Sleuth Kit for analyzing filesystem images are at risk. Specifically, those using older, unpatched versions of the tool in automated workflows or environments with limited access controls are particularly vulnerable. Shared hosting environments where multiple users have access to filesystem images are also at increased risk.
• linux / server:
journalctl -g "tsk_recover" -u the-sleuth-kit | grep -i "path traversal"• linux / server:
lsof | grep /path/to/recovery/directory/../• linux / server:
find / -name '*..*' -print 2>/dev/nulldisclosure
Exploit-Status
EPSS
0.03% (8% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-40024 is to upgrade to The Sleuth Kit version 4.15.0 or later, which contains the fix. If upgrading immediately is not feasible due to compatibility concerns or system downtime requirements, consider implementing temporary workarounds. One approach is to sanitize all filesystem image filenames before processing them with tskrecover, removing or escaping any /../ sequences. Additionally, restrict the permissions of the user account running tskrecover to minimize the potential impact of a successful exploit. Monitor system logs for unusual file creation activity in unexpected directories. After upgrading, confirm the fix by attempting to recover a test filesystem image with a known malicious filename containing path traversal sequences; the files should not be written outside the intended recovery directory.
Actualizar a la versión 4.15.0 o superior para mitigar la vulnerabilidad de recorrido de ruta. La actualización corrige la forma en que tsk_recover maneja los nombres de archivo, evitando la escritura de archivos fuera del directorio de recuperación previsto. Verificar la integridad de las imágenes de sistema de archivos antes de procesarlas con tsk_recover.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-40024 is a path traversal vulnerability in The Sleuth Kit allowing attackers to write files outside the intended recovery directory, potentially leading to code execution.
You are affected if you are using The Sleuth Kit versions 0.0.0–a3f96b3bc36a8bb1a00c297f77110d4a6e7dd31b or earlier.
Upgrade to The Sleuth Kit version 4.15.0 or later to resolve the vulnerability.
As of now, there are no confirmed reports of active exploitation, but the vulnerability's nature makes it a potential target.
Refer to the official The Sleuth Kit project website and security mailing lists for updates and advisories.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.