CVE-2026-46607
HighCVSS 7.8Exploitation Probability (EPSS)
Low risk22th percentile — higher than 22% of all known CVEs
Summary
Glances is a system monitoring tool that prior to version 4.5.5 used pickle.load() to read a version-check cache file. The lack of integrity checks and format validation before deserialization allows an attacker with access to this file to plant a malicious pickle file, leading to arbitrary code execution.
Risk Assessment
An attacker with access to the file path can exploit this vulnerability to execute malicious code as the operating system user, posing a significant security risk.
Recommendation
It is recommended to update Glances to version 4.5.5 or later to mitigate this vulnerability and to restrict access to the cache directory.
Original NVD description (English source)
Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, glances/outdated.py uses pickle.load() to read a version-check cache file stored at a predictable, world-accessible path (~/.cache/glances/glances-version.db or $XDG_CACHE_HOME/glances/glances-version.db). No integrity check, signature verification, or format validation is performed before deserialization. An attacker with write access to that path — through any of several realistic local or container-level scenarios — can plant a malicious pickle file and achieve arbitrary code execution as the OS user running Glances the next time it starts with version checking enabled (the default). This vulnerability is fixed in 4.5.5.

