Vulnerabilities ›

CVE-2026-44604

High

CWE-78 — Weakness Type

                    Published: May 28, 2026                      ·  Modified: Jun 4, 2026                      ·  Source: NVD                

CVSS v3

7.0

🔗 NVD Official

📄 Description (English)

A command injection vulnerability was discovered in the `rpmuncompress` utility of RPM. When extracting certain archive formats (ZIP, 7z, GEM) to a specified destination directory, the tool inserts the archive's top-level folder name into a shell command without properly sanitizing it. A specially crafted archive containing shell metacharacters in its folder name can execute arbitrary commands as the user running the extraction.

🤖 AI Executive Summary

CVE-2026-44604 is a command injection vulnerability in RPM's rpmuncompress utility that allows arbitrary command execution through unsanitized archive folder names. Attackers can craft malicious archives with shell metacharacters to execute commands with the privileges of the extraction process.

📄 Description (Arabic)

ثغرة حقن الأوامر في أداة rpmuncompress في RPM تسمح بتنفيذ أوامر عشوائية عند استخراج أرشيفات ZIP و7z و GEM. يمكن للمهاجمين إنشاء أرشيفات ضارة تحتوي على أحرف shell في أسماء المجلدات لتنفيذ أوامر بصلاحيات المستخدم الذي يقوم بالاستخراج.

🤖 ملخص تنفيذي (AI)

A command injection flaw exists in RPM's rpmuncompress tool when processing ZIP, 7z, and GEM archives with unsanitized folder names. Specially crafted archives containing shell metacharacters can lead to arbitrary command execution on affected systems.

🤖 AI Intelligence Analysis Analyzed: Jun 2, 2026 06:37

🇸🇦 Saudi Arabia Impact Assessment

Saudi Relevance: high

🏢 Affected Saudi Sectors

government energy telecom banking healthcare

🎯 MITRE ATT&CK Techniques

T1059.004 T1203 T1566.001

⚖️ Saudi Risk Score (AI)

7.0

/ 10.0

🔧 Remediation Steps (English)

Update RPM to the latest patched version that properly sanitizes archive folder names before using them in shell commands. Implement input validation and use safe command execution methods that avoid shell interpretation. Restrict archive extraction to trusted sources only.

🔧 خطوات المعالجة (العربية)

قم بتحديث RPM إلى أحدث إصدار معدل يقوم بتعقيم أسماء مجلدات الأرشيف بشكل صحيح قبل استخدامها في أوامر shell. طبق التحقق من صحة المدخلات واستخدم طرق تنفيذ الأوامر الآمنة التي تتجنب تفسير shell. قيد استخراج الأرشيف إلى المصادر الموثوقة فقط.

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

A.1.1.1 A.2.1.1 A.2.1.2

🔵 SAMA CSF

ID.BE-1 PR.DS-1 PR.IP-1

🟡 ISO 27001:2022

A.12.2.1 A.14.2.1 A.14.2.5

🔗 References & Sources 2

🔗

https://access.redhat.com/security/cve/CVE-2026-44604

secalert@redhat.com

🔗

https://bugzilla.redhat.com/show_bug.cgi?id=2460967

secalert@redhat.com

📊 CVSS Score

7.0

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack VectorL — Low / Local

Attack ComplexityH — High

Privileges RequiredN — None / Network

User InteractionR — Required

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score7.0

CWECWE-78

EPSS0.02%

Exploit No

Patch ✗ No

Published 2026-05-28

Source Feed nvd

🇸🇦 Saudi Risk Score

7.0

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-78

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-44604

Introduce Yourself

Sign In Required