Platform
linux
Component
sleuthkit
Fixed in
4.14.1
CVE-2026-40024 describes a path traversal vulnerability discovered in The Sleuth Kit, a popular open-source digital forensics tool. This flaw allows an attacker to write files to arbitrary locations on the system, potentially leading to code execution and complete system compromise. The vulnerability affects versions of The Sleuth Kit prior to 4.15.0 and has been publicly disclosed. A fix is available in version 4.15.0.
The path traversal vulnerability in The Sleuth Kit's tskrecover function allows an attacker to bypass intended file system access controls. By crafting malicious filesystem images containing carefully constructed filenames with path traversal sequences (e.g., /../), an attacker can trick tskrecover into writing files outside the designated recovery directory. This could involve overwriting critical system files, such as shell configuration files (.bashrc, .profile) or cron entries, effectively gaining persistent code execution on the target system. The potential impact is significant, as successful exploitation could lead to complete system takeover and data exfiltration. This vulnerability shares similarities with other path traversal exploits where attackers leverage directory traversal sequences to manipulate file system access.
CVE-2026-40024 was published on 2026-04-08. Currently, there are no known public exploits or active campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog as of this writing. The availability of a public proof-of-concept is currently unknown, but the nature of the vulnerability suggests that one could be developed relatively easily.
Exploit Status
EPSS
0.03% (8% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-40024 is to upgrade to The Sleuth Kit version 4.15.0 or later, which contains the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict access to the tsk_recover function and the filesystem images being processed to trusted users only. Implement input validation to sanitize filenames and directory paths before processing them, specifically filtering out or escaping /../ sequences. Consider using a Web Application Firewall (WAF) or proxy to inspect and block requests containing suspicious path traversal patterns. Monitor system logs for unusual file creation or modification activity in unexpected locations.
Actualizar a la versión 4.15.0 o superior para mitigar la vulnerabilidad de recorrido de ruta. La actualización corrige la forma en que tsk_recover maneja los nombres de archivo, evitando la escritura de archivos fuera del directorio de recuperación previsto. Verificar la integridad de las imágenes de sistema de archivos antes de procesarlas con tsk_recover.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-40024 is a path traversal vulnerability in The Sleuth Kit allowing attackers to write files outside the intended recovery directory, potentially leading to code execution.
You are affected if you are using The Sleuth Kit versions 0.0.0–a3f96b3bc36a8bb1a00c297f77110d4a6e7dd31b or earlier.
Upgrade to The Sleuth Kit version 4.15.0 or later to resolve the vulnerability.
As of now, there are no confirmed reports of active exploitation, but the vulnerability's nature makes it a potential target.
Refer to the official The Sleuth Kit project website and security mailing lists for updates and advisories.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.