Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.bugs.dist > #1292809

Bug#1136010: binwalk: CVE-2026-7179

Show all headers | View raw

Source: binwalk
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for binwalk.

CVE-2026-7179[0]:
| A security vulnerability has been detected in OSPG binwalk up to
| 2.4.3. This vulnerability affects the function
| read_null_terminated_string of the file
| src/binwalk/plugins/winceextract.py of the component WinCE
| Extraction Plugin. Such manipulation of the argument self.file_name
| leads to path traversal. The attack can only be performed from a
| local environment. The exploit has been disclosed publicly and may
| be used. The project maintainer confirms this issue: "I accept the
| existence of the Path Traversal vulnerability. However, as stated in
| the Github link, it reached EOL and as a result no actions should be
| expected." The GitHub repository mentions, that "[u]sers and
| contributors should migrate to binwalk v3." This vulnerability only
| affects products that are no longer supported by the maintainer.

https://github.com/dhabaleshwar/Open-Source-Vulnerabilities/blob/main/binwalk_path_traversal.md

This sounds like binwalk shouldn't be included in forky?



If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-7179
    https://www.cve.org/CVERecord?id=CVE-2026-7179

Please adjust the affected versions in the BTS as needed.

Back to linux.debian.bugs.dist | Previous | Next | Find similar | Unroll thread

Thread

Bug#1136010: binwalk: CVE-2026-7179 Moritz Mühlenhoff <jmm@inutil.org> - 2026-05-08 15:30 +0200

csiph-web