CVE-2026-41991
MediumCVSS 4.7Exploitation Probability (EPSS)
Low risk2th percentile — higher than 2% of all known CVEs
Summary
GNU gzip has a vulnerability in the gzexe utility related to insecure temporary file handling. When mktemp is not available in the user's PATH, gzexe creates a temporary file with a predictable name based solely on the PID, without exclusive access or existence checks. A local attacker can pre-create this path as a symlink to an arbitrary writable file, causing a TOCTOU condition that allows arbitrary file overwrite.
Risk Assessment
The risk is that a local attacker can overwrite arbitrary files on the system, potentially leading to privilege escalation, data corruption, or system compromise.
Recommendation
Immediately update GNU gzip to a version containing commit 4e6f8b24ab823146ab8776f0b7fe486ab34d4269. As a temporary workaround, ensure the mktemp utility is available in the PATH for all users.
Original NVD description (English source)
GNU gzip contains a vulnerability in the gzexe utility related to insecure temporary file handling. When the mktemp utility is not available in the user’s PATH, gzexe falls back to constructing a temporary file path based solely on the process ID (PID). This predictable filename is created without exclusive access or existence checks. A local attacker can pre‑create the predicted temporary file path as a symbolic link pointing to an arbitrary file writable by the victim. When gzexe runs, it follows the symlink and overwrites the target file, resulting in a time‑of‑check to time‑of‑use (TOCTOU) condition that allows arbitrary file overwrite. This issue has been fixed in the commit 4e6f8b24ab823146ab8776f0b7fe486ab34d4269

